Repository | aztfmod / terraform-azurerm-caf |
Description | Terraform supermodule for the Terraform platform engineering for Azure |
Stars | 466 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 95, Failed checks: 197, Skipped checks: 0, Parsing errors: 2
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.synapse_workspaces.azurerm_key_vault_secret.sql_admin_password
File: /modules/analytics/synapse/workspace.tf:90-102
Calling File: /synapses.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
90 | resource "azurerm_key_vault_secret" "sql_admin_password" {
91 | count = try(var.settings.sql_administrator_login_password, null) == null ? 1 : 0
92 |
93 | name = format("%s-synapse-sql-admin-password", azurerm_synapse_workspace.ws.name)
94 | value = random_password.sql_admin.0.result
95 | key_vault_id = var.keyvault_id
96 |
97 | lifecycle {
98 | ignore_changes = [
99 | value
100 | ]
101 | }
102 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.synapse_workspaces.azurerm_key_vault_secret.sql_admin_password
File: /modules/analytics/synapse/workspace.tf:90-102
Calling File: /synapses.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
90 | resource "azurerm_key_vault_secret" "sql_admin_password" {
91 | count = try(var.settings.sql_administrator_login_password, null) == null ? 1 : 0
92 |
93 | name = format("%s-synapse-sql-admin-password", azurerm_synapse_workspace.ws.name)
94 | value = random_password.sql_admin.0.result
95 | key_vault_id = var.keyvault_id
96 |
97 | lifecycle {
98 | ignore_changes = [
99 | value
100 | ]
101 | }
102 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.synapse_workspaces.azurerm_key_vault_secret.sql_admin
File: /modules/analytics/synapse/workspace.tf:104-110
Calling File: /synapses.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
104 | resource "azurerm_key_vault_secret" "sql_admin" {
105 | count = try(var.settings.sql_administrator_login_password, null) == null ? 1 : 0
106 |
107 | name = format("%s-synapse-sql-admin-username", azurerm_synapse_workspace.ws.name)
108 | value = var.settings.sql_administrator_login
109 | key_vault_id = var.keyvault_id
110 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.synapse_workspaces.azurerm_key_vault_secret.sql_admin
File: /modules/analytics/synapse/workspace.tf:104-110
Calling File: /synapses.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
104 | resource "azurerm_key_vault_secret" "sql_admin" {
105 | count = try(var.settings.sql_administrator_login_password, null) == null ? 1 : 0
106 |
107 | name = format("%s-synapse-sql-admin-username", azurerm_synapse_workspace.ws.name)
108 | value = var.settings.sql_administrator_login
109 | key_vault_id = var.keyvault_id
110 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.synapse_workspaces.azurerm_key_vault_secret.synapse_name
File: /modules/analytics/synapse/workspace.tf:112-118
Calling File: /synapses.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
112 | resource "azurerm_key_vault_secret" "synapse_name" {
113 | count = try(var.settings.sql_administrator_login_password, null) == null ? 1 : 0
114 |
115 | name = format("%s-synapse-name", azurerm_synapse_workspace.ws.name)
116 | value = azurerm_synapse_workspace.ws.name
117 | key_vault_id = var.keyvault_id
118 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.synapse_workspaces.azurerm_key_vault_secret.synapse_name
File: /modules/analytics/synapse/workspace.tf:112-118
Calling File: /synapses.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
112 | resource "azurerm_key_vault_secret" "synapse_name" {
113 | count = try(var.settings.sql_administrator_login_password, null) == null ? 1 : 0
114 |
115 | name = format("%s-synapse-name", azurerm_synapse_workspace.ws.name)
116 | value = azurerm_synapse_workspace.ws.name
117 | key_vault_id = var.keyvault_id
118 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.synapse_workspaces.azurerm_key_vault_secret.synapse_rg_name
File: /modules/analytics/synapse/workspace.tf:120-126
Calling File: /synapses.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
120 | resource "azurerm_key_vault_secret" "synapse_rg_name" {
121 | count = try(var.settings.sql_administrator_login_password, null) == null ? 1 : 0
122 |
123 | name = format("%s-synapse-resource-group-name", azurerm_synapse_workspace.ws.name)
124 | value = local.resource_group_name
125 | key_vault_id = var.keyvault_id
126 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.synapse_workspaces.azurerm_key_vault_secret.synapse_rg_name
File: /modules/analytics/synapse/workspace.tf:120-126
Calling File: /synapses.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
120 | resource "azurerm_key_vault_secret" "synapse_rg_name" {
121 | count = try(var.settings.sql_administrator_login_password, null) == null ? 1 : 0
122 |
123 | name = format("%s-synapse-resource-group-name", azurerm_synapse_workspace.ws.name)
124 | value = local.resource_group_name
125 | key_vault_id = var.keyvault_id
126 | }
Check: CKV_AZURE_173: "Ensure API management uses at least TLS 1.2"
FAILED for resource: module.example.module.api_management.azurerm_api_management.apim
File: /modules/apim/api_management/module.tf:11-217
Calling File: /api_management.tf:1-19
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_174: "Ensure API management public access is disabled"
FAILED for resource: module.example.module.api_management.azurerm_api_management.apim
File: /modules/apim/api_management/module.tf:11-217
Calling File: /api_management.tf:1-19
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_215: "Ensure API management backend uses https"
FAILED for resource: module.example.module.api_management_backend.azurerm_api_management_backend.apim
File: /modules/apim/api_management_backend/module.tf:11-67
Calling File: /api_management.tf:107-122
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.azuread_applications.azurerm_key_vault_secret.client_id
File: /modules/azuread/applications/keyvault_secrets.tf:2-15
Calling File: /azuread_applications.tf:8-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
2 | resource "azurerm_key_vault_secret" "client_id" {
3 | for_each = try(var.settings.keyvaults, {})
4 |
5 | name = format("%s-client-id", each.value.secret_prefix)
6 | value = azuread_application.app.application_id
7 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
8 |
9 | lifecycle {
10 | ignore_changes = [
11 | value
12 | ]
13 | }
14 |
15 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_applications.azurerm_key_vault_secret.client_id
File: /modules/azuread/applications/keyvault_secrets.tf:2-15
Calling File: /azuread_applications.tf:8-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
2 | resource "azurerm_key_vault_secret" "client_id" {
3 | for_each = try(var.settings.keyvaults, {})
4 |
5 | name = format("%s-client-id", each.value.secret_prefix)
6 | value = azuread_application.app.application_id
7 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
8 |
9 | lifecycle {
10 | ignore_changes = [
11 | value
12 | ]
13 | }
14 |
15 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_applications.azurerm_key_vault_secret.client_secret
File: /modules/azuread/applications/keyvault_secrets.tf:17-23
Calling File: /azuread_applications.tf:8-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
17 | resource "azurerm_key_vault_secret" "client_secret" {
18 | for_each = try(var.settings.keyvaults, {})
19 | name = format("%s-client-secret", each.value.secret_prefix)
20 | value = azuread_service_principal_password.pwd.value
21 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
22 | expiration_date = timeadd(time_rotating.pwd.id, format("%sh", local.password_policy.expire_in_days * 24))
23 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.azuread_applications.azurerm_key_vault_secret.tenant_id
File: /modules/azuread/applications/keyvault_secrets.tf:25-30
Calling File: /azuread_applications.tf:8-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
25 | resource "azurerm_key_vault_secret" "tenant_id" {
26 | for_each = try(var.settings.keyvaults, {})
27 | name = format("%s-tenant-id", each.value.secret_prefix)
28 | value = var.client_config.tenant_id
29 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
30 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_applications.azurerm_key_vault_secret.tenant_id
File: /modules/azuread/applications/keyvault_secrets.tf:25-30
Calling File: /azuread_applications.tf:8-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
25 | resource "azurerm_key_vault_secret" "tenant_id" {
26 | for_each = try(var.settings.keyvaults, {})
27 | name = format("%s-tenant-id", each.value.secret_prefix)
28 | value = var.client_config.tenant_id
29 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
30 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.azuread_credentials.azurerm_key_vault_secret.client_id
File: /modules/azuread/credentials/keyvault_secrets.tf:2-11
Calling File: /azuread_credentials.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
2 | resource "azurerm_key_vault_secret" "client_id" {
3 | for_each = try(var.settings.keyvaults, {})
4 |
5 | name = format("%s-client-id", each.value.secret_prefix)
6 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
7 |
8 | value = coalesce(
9 | try(var.resources.application.application_id, null)
10 | )
11 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_credentials.azurerm_key_vault_secret.client_id
File: /modules/azuread/credentials/keyvault_secrets.tf:2-11
Calling File: /azuread_credentials.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
2 | resource "azurerm_key_vault_secret" "client_id" {
3 | for_each = try(var.settings.keyvaults, {})
4 |
5 | name = format("%s-client-id", each.value.secret_prefix)
6 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
7 |
8 | value = coalesce(
9 | try(var.resources.application.application_id, null)
10 | )
11 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.azuread_credentials.azurerm_key_vault_secret.tenant_id
File: /modules/azuread/credentials/keyvault_secrets.tf:13-18
Calling File: /azuread_credentials.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
13 | resource "azurerm_key_vault_secret" "tenant_id" {
14 | for_each = try(var.settings.keyvaults, {})
15 | name = format("%s-tenant-id", each.value.secret_prefix)
16 | value = try(each.value.tenant_id, var.client_config.tenant_id)
17 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
18 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_credentials.azurerm_key_vault_secret.tenant_id
File: /modules/azuread/credentials/keyvault_secrets.tf:13-18
Calling File: /azuread_credentials.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
13 | resource "azurerm_key_vault_secret" "tenant_id" {
14 | for_each = try(var.settings.keyvaults, {})
15 | name = format("%s-tenant-id", each.value.secret_prefix)
16 | value = try(each.value.tenant_id, var.client_config.tenant_id)
17 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
18 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_credentials.azurerm_key_vault_secret.client_secret
File: /modules/azuread/credentials/password.tf:75-92
Calling File: /azuread_credentials.tf:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
75 | resource "azurerm_key_vault_secret" "client_secret" {
76 | for_each = {
77 | for key, value in try(var.settings.keyvaults, {}) : key => value
78 | if try(var.settings.azuread_application, null) != null && lower(local.password_type) == "password"
79 | }
80 |
81 | # Add a timer to make sure the new password got replicated into azure ad replica set before we store it into keyvault
82 | depends_on = [time_sleep.wait_new_password_propagation]
83 |
84 | name = format("%s-client-secret", each.value.secret_prefix)
85 | value = local.random_key == "key0" ? sensitive(azuread_application_password.key0.0.value) : try(sensitive(azuread_application_password.key1.0.value), sensitive(azuread_application_password.key.0.value))
86 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
87 | expiration_date = local.random_key == "key0" ? local.expiration_date.key0 : try(local.expiration_date.key1, local.expiration_date.key)
88 |
89 | tags = {
90 | key = local.random_key
91 | }
92 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.azuread_service_principal_passwords.azurerm_key_vault_secret.client_id
File: /modules/azuread/service_principal_password/keyvault_secrets.tf:2-8
Calling File: /azuread_service_principal_passwords.tf:5-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
2 | resource "azurerm_key_vault_secret" "client_id" {
3 | for_each = try(var.settings.keyvaults, {})
4 |
5 | name = format("%s-client-id", each.value.secret_prefix)
6 | value = var.service_principal_application_id
7 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
8 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_service_principal_passwords.azurerm_key_vault_secret.client_id
File: /modules/azuread/service_principal_password/keyvault_secrets.tf:2-8
Calling File: /azuread_service_principal_passwords.tf:5-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
2 | resource "azurerm_key_vault_secret" "client_id" {
3 | for_each = try(var.settings.keyvaults, {})
4 |
5 | name = format("%s-client-id", each.value.secret_prefix)
6 | value = var.service_principal_application_id
7 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
8 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_service_principal_passwords.azurerm_key_vault_secret.client_secret
File: /modules/azuread/service_principal_password/keyvault_secrets.tf:10-16
Calling File: /azuread_service_principal_passwords.tf:5-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
10 | resource "azurerm_key_vault_secret" "client_secret" {
11 | for_each = try(var.settings.keyvaults, {})
12 | name = format("%s-client-secret", each.value.secret_prefix)
13 | value = azuread_service_principal_password.pwd.value
14 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
15 | expiration_date = timeadd(time_rotating.pwd.id, format("%sh", local.password_policy.expire_in_days * 24))
16 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.azuread_service_principal_passwords.azurerm_key_vault_secret.tenant_id
File: /modules/azuread/service_principal_password/keyvault_secrets.tf:18-23
Calling File: /azuread_service_principal_passwords.tf:5-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
18 | resource "azurerm_key_vault_secret" "tenant_id" {
19 | for_each = try(var.settings.keyvaults, {})
20 | name = format("%s-tenant-id", each.value.secret_prefix)
21 | value = var.client_config.tenant_id
22 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
23 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_service_principal_passwords.azurerm_key_vault_secret.tenant_id
File: /modules/azuread/service_principal_password/keyvault_secrets.tf:18-23
Calling File: /azuread_service_principal_passwords.tf:5-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
18 | resource "azurerm_key_vault_secret" "tenant_id" {
19 | for_each = try(var.settings.keyvaults, {})
20 | name = format("%s-tenant-id", each.value.secret_prefix)
21 | value = var.client_config.tenant_id
22 | key_vault_id = try(each.value.lz_key, null) == null ? var.keyvaults[var.client_config.landingzone_key][each.key].id : var.keyvaults[each.value.lz_key][each.key].id
23 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.azuread_users.azurerm_key_vault_secret.aad_user_name
File: /modules/azuread/users/user.tf:59-63
Calling File: /azuread_users.tf:5-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
59 | resource "azurerm_key_vault_secret" "aad_user_name" {
60 | name = format("%s%s-name", local.secret_prefix, local.user_name)
61 | value = azuread_user.account.user_principal_name
62 | key_vault_id = local.keyvault_id
63 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_users.azurerm_key_vault_secret.aad_user_name
File: /modules/azuread/users/user.tf:59-63
Calling File: /azuread_users.tf:5-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
59 | resource "azurerm_key_vault_secret" "aad_user_name" {
60 | name = format("%s%s-name", local.secret_prefix, local.user_name)
61 | value = azuread_user.account.user_principal_name
62 | key_vault_id = local.keyvault_id
63 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.azuread_users.azurerm_key_vault_secret.aad_user_password
File: /modules/azuread/users/user.tf:65-70
Calling File: /azuread_users.tf:5-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
65 | resource "azurerm_key_vault_secret" "aad_user_password" {
66 | name = format("%s%s-password", local.secret_prefix, local.user_name)
67 | value = random_password.pwd.result
68 | expiration_date = timeadd(time_rotating.pwd.id, format("%sh", local.password_policy.expire_in_days * 24))
69 | key_vault_id = local.keyvault_id
70 | }
Check: CKV_AZURE_134: "Ensure that Cognitive Services accounts disable public network access"
FAILED for resource: module.example.module.cognitive_services_account.azurerm_cognitive_account.service
File: /modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf:11-49
Calling File: /cognitive_service.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-cognitive-services-accounts-disable-public-network-access.html
11 | resource "azurerm_cognitive_account" "service" {
12 | name = azurecaf_name.service.result
13 | location = var.location
14 | resource_group_name = var.resource_group_name
15 | kind = var.settings.kind
16 | sku_name = var.settings.sku_name
17 |
18 | qna_runtime_endpoint = var.settings.kind == "QnAMaker" ? var.settings.qna_runtime_endpoint : try(var.settings.qna_runtime_endpoint, null)
19 |
20 | dynamic "network_acls" {
21 | for_each = can(var.settings.network_acls) ? [var.settings.network_acls] : []
22 | content {
23 | default_action = network_acls.value.default_action
24 | ip_rules = try(network_acls.value.ip_rules, null)
25 |
26 | # to support migration from 2.99.0 to 3.7.0
27 | dynamic "virtual_network_rules" {
28 | for_each = can(network_acls.value.virtual_network_subnet_ids) ? toset(network_acls.value.virtual_network_subnet_ids) : []
29 |
30 | content {
31 | subnet_id = virtual_network_rules.value
32 | }
33 | }
34 |
35 | dynamic "virtual_network_rules" {
36 | for_each = try(network_acls.value.virtual_network_rules, {})
37 |
38 | content {
39 | subnet_id = virtual_network_rules.value.subnet_id
40 | ignore_missing_vnet_service_endpoint = try(virtual_network_rules.value.ignore_missing_vnet_service_endpoint, null)
41 | }
42 | }
43 | }
44 | }
45 |
46 | custom_subdomain_name = try(var.settings.custom_subdomain_name, null)
47 |
48 | tags = try(var.settings.tags, {})
49 | }
Check: CKV_AZURE_172: "Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters"
FAILED for resource: module.example.module.aks_clusters.azurerm_kubernetes_cluster.aks
File: /modules/compute/aks/aks.tf:40-436
Calling File: /compute_aks_clusters.tf:5-37
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_226: "Ensure ephemeral disks are used for OS disks"
FAILED for resource: module.example.module.aks_clusters.azurerm_kubernetes_cluster.aks
File: /modules/compute/aks/aks.tf:40-436
Calling File: /compute_aks_clusters.tf:5-37
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_227: "Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources"
FAILED for resource: module.example.module.aks_clusters.azurerm_kubernetes_cluster.aks
File: /modules/compute/aks/aks.tf:40-436
Calling File: /compute_aks_clusters.tf:5-37
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_168: "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
FAILED for resource: module.example.module.aks_clusters.azurerm_kubernetes_cluster.aks
File: /modules/compute/aks/aks.tf:40-436
Calling File: /compute_aks_clusters.tf:5-37
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_227: "Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources"
FAILED for resource: module.example.module.aks_clusters.azurerm_kubernetes_cluster_node_pool.nodepools
File: /modules/compute/aks/aks.tf:449-573
Calling File: /compute_aks_clusters.tf:5-37
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_168: "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
FAILED for resource: module.example.module.aks_clusters.azurerm_kubernetes_cluster_node_pool.nodepools
File: /modules/compute/aks/aks.tf:449-573
Calling File: /compute_aks_clusters.tf:5-37
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_98: "Ensure that Azure Container group is deployed into virtual network"
FAILED for resource: module.example.module.container_groups.azurerm_container_group.acg
File: /modules/compute/container_group/container_group.tf:27-201
Calling File: /compute_container_groups.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-container-container-group-is-deployed-into-virtual-network.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
FAILED for resource: module.example.module.container_registry.azurerm_container_registry.acr
File: /modules/compute/container_registry/registry.tf:11-54
Calling File: /compute_container_registry.tf:1-28
11 | resource "azurerm_container_registry" "acr" {
12 | name = azurecaf_name.acr.result
13 | resource_group_name = local.resource_group_name
14 | location = local.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = local.tags
18 |
19 | public_network_access_enabled = var.public_network_access_enabled
20 |
21 | dynamic "network_rule_set" {
22 | for_each = try(var.network_rule_set, {})
23 |
24 | content {
25 | default_action = try(network_rule_set.value.default_action, "Allow")
26 |
27 | dynamic "ip_rule" {
28 | for_each = try(network_rule_set.value.ip_rules, {})
29 |
30 | content {
31 | action = "Allow"
32 | ip_range = ip_rule.value.ip_range
33 | }
34 | }
35 | dynamic "virtual_network" {
36 | for_each = try(network_rule_set.value.virtual_networks, {})
37 |
38 | content {
39 | action = "Allow"
40 | subnet_id = can(virtual_network.value.subnet_id) ? virtual_network.value.subnet_id : var.vnets[try(virtual_network.value.lz_key, var.client_config.landingzone_key)][virtual_network.value.vnet_key].subnets[virtual_network.value.subnet_key].id
41 | }
42 | }
43 | }
44 | }
45 |
46 | dynamic "georeplications" {
47 | for_each = try(var.georeplications, {})
48 |
49 | content {
50 | location = var.global_settings.regions[georeplications.key]
51 | tags = try(georeplications.value.tags)
52 | }
53 | }
54 | }
Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
FAILED for resource: module.example.module.container_registry.azurerm_container_registry.acr
File: /modules/compute/container_registry/registry.tf:11-54
Calling File: /compute_container_registry.tf:1-28
11 | resource "azurerm_container_registry" "acr" {
12 | name = azurecaf_name.acr.result
13 | resource_group_name = local.resource_group_name
14 | location = local.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = local.tags
18 |
19 | public_network_access_enabled = var.public_network_access_enabled
20 |
21 | dynamic "network_rule_set" {
22 | for_each = try(var.network_rule_set, {})
23 |
24 | content {
25 | default_action = try(network_rule_set.value.default_action, "Allow")
26 |
27 | dynamic "ip_rule" {
28 | for_each = try(network_rule_set.value.ip_rules, {})
29 |
30 | content {
31 | action = "Allow"
32 | ip_range = ip_rule.value.ip_range
33 | }
34 | }
35 | dynamic "virtual_network" {
36 | for_each = try(network_rule_set.value.virtual_networks, {})
37 |
38 | content {
39 | action = "Allow"
40 | subnet_id = can(virtual_network.value.subnet_id) ? virtual_network.value.subnet_id : var.vnets[try(virtual_network.value.lz_key, var.client_config.landingzone_key)][virtual_network.value.vnet_key].subnets[virtual_network.value.subnet_key].id
41 | }
42 | }
43 | }
44 | }
45 |
46 | dynamic "georeplications" {
47 | for_each = try(var.georeplications, {})
48 |
49 | content {
50 | location = var.global_settings.regions[georeplications.key]
51 | tags = try(georeplications.value.tags)
52 | }
53 | }
54 | }
Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
FAILED for resource: module.example.module.container_registry.azurerm_container_registry.acr
File: /modules/compute/container_registry/registry.tf:11-54
Calling File: /compute_container_registry.tf:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
11 | resource "azurerm_container_registry" "acr" {
12 | name = azurecaf_name.acr.result
13 | resource_group_name = local.resource_group_name
14 | location = local.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = local.tags
18 |
19 | public_network_access_enabled = var.public_network_access_enabled
20 |
21 | dynamic "network_rule_set" {
22 | for_each = try(var.network_rule_set, {})
23 |
24 | content {
25 | default_action = try(network_rule_set.value.default_action, "Allow")
26 |
27 | dynamic "ip_rule" {
28 | for_each = try(network_rule_set.value.ip_rules, {})
29 |
30 | content {
31 | action = "Allow"
32 | ip_range = ip_rule.value.ip_range
33 | }
34 | }
35 | dynamic "virtual_network" {
36 | for_each = try(network_rule_set.value.virtual_networks, {})
37 |
38 | content {
39 | action = "Allow"
40 | subnet_id = can(virtual_network.value.subnet_id) ? virtual_network.value.subnet_id : var.vnets[try(virtual_network.value.lz_key, var.client_config.landingzone_key)][virtual_network.value.vnet_key].subnets[virtual_network.value.subnet_key].id
41 | }
42 | }
43 | }
44 | }
45 |
46 | dynamic "georeplications" {
47 | for_each = try(var.georeplications, {})
48 |
49 | content {
50 | location = var.global_settings.regions[georeplications.key]
51 | tags = try(georeplications.value.tags)
52 | }
53 | }
54 | }
Check: CKV_AZURE_165: "Ensure geo-replicated container registries to match multi-region container deployments."
FAILED for resource: module.example.module.container_registry.azurerm_container_registry.acr
File: /modules/compute/container_registry/registry.tf:11-54
Calling File: /compute_container_registry.tf:1-28
11 | resource "azurerm_container_registry" "acr" {
12 | name = azurecaf_name.acr.result
13 | resource_group_name = local.resource_group_name
14 | location = local.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = local.tags
18 |
19 | public_network_access_enabled = var.public_network_access_enabled
20 |
21 | dynamic "network_rule_set" {
22 | for_each = try(var.network_rule_set, {})
23 |
24 | content {
25 | default_action = try(network_rule_set.value.default_action, "Allow")
26 |
27 | dynamic "ip_rule" {
28 | for_each = try(network_rule_set.value.ip_rules, {})
29 |
30 | content {
31 | action = "Allow"
32 | ip_range = ip_rule.value.ip_range
33 | }
34 | }
35 | dynamic "virtual_network" {
36 | for_each = try(network_rule_set.value.virtual_networks, {})
37 |
38 | content {
39 | action = "Allow"
40 | subnet_id = can(virtual_network.value.subnet_id) ? virtual_network.value.subnet_id : var.vnets[try(virtual_network.value.lz_key, var.client_config.landingzone_key)][virtual_network.value.vnet_key].subnets[virtual_network.value.subnet_key].id
41 | }
42 | }
43 | }
44 | }
45 |
46 | dynamic "georeplications" {
47 | for_each = try(var.georeplications, {})
48 |
49 | content {
50 | location = var.global_settings.regions[georeplications.key]
51 | tags = try(georeplications.value.tags)
52 | }
53 | }
54 | }
Check: CKV_AZURE_163: "Enable vulnerability scanning for container images."
FAILED for resource: module.example.module.container_registry.azurerm_container_registry.acr
File: /modules/compute/container_registry/registry.tf:11-54
Calling File: /compute_container_registry.tf:1-28
11 | resource "azurerm_container_registry" "acr" {
12 | name = azurecaf_name.acr.result
13 | resource_group_name = local.resource_group_name
14 | location = local.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = local.tags
18 |
19 | public_network_access_enabled = var.public_network_access_enabled
20 |
21 | dynamic "network_rule_set" {
22 | for_each = try(var.network_rule_set, {})
23 |
24 | content {
25 | default_action = try(network_rule_set.value.default_action, "Allow")
26 |
27 | dynamic "ip_rule" {
28 | for_each = try(network_rule_set.value.ip_rules, {})
29 |
30 | content {
31 | action = "Allow"
32 | ip_range = ip_rule.value.ip_range
33 | }
34 | }
35 | dynamic "virtual_network" {
36 | for_each = try(network_rule_set.value.virtual_networks, {})
37 |
38 | content {
39 | action = "Allow"
40 | subnet_id = can(virtual_network.value.subnet_id) ? virtual_network.value.subnet_id : var.vnets[try(virtual_network.value.lz_key, var.client_config.landingzone_key)][virtual_network.value.vnet_key].subnets[virtual_network.value.subnet_key].id
41 | }
42 | }
43 | }
44 | }
45 |
46 | dynamic "georeplications" {
47 | for_each = try(var.georeplications, {})
48 |
49 | content {
50 | location = var.global_settings.regions[georeplications.key]
51 | tags = try(georeplications.value.tags)
52 | }
53 | }
54 | }
Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
FAILED for resource: module.example.module.container_registry.azurerm_container_registry.acr
File: /modules/compute/container_registry/registry.tf:11-54
Calling File: /compute_container_registry.tf:1-28
11 | resource "azurerm_container_registry" "acr" {
12 | name = azurecaf_name.acr.result
13 | resource_group_name = local.resource_group_name
14 | location = local.location
15 | sku = var.sku
16 | admin_enabled = var.admin_enabled
17 | tags = local.tags
18 |
19 | public_network_access_enabled = var.public_network_access_enabled
20 |
21 | dynamic "network_rule_set" {
22 | for_each = try(var.network_rule_set, {})
23 |
24 | content {
25 | default_action = try(network_rule_set.value.default_action, "Allow")
26 |
27 | dynamic "ip_rule" {
28 | for_each = try(network_rule_set.value.ip_rules, {})
29 |
30 | content {
31 | action = "Allow"
32 | ip_range = ip_rule.value.ip_range
33 | }
34 | }
35 | dynamic "virtual_network" {
36 | for_each = try(network_rule_set.value.virtual_networks, {})
37 |
38 | content {
39 | action = "Allow"
40 | subnet_id = can(virtual_network.value.subnet_id) ? virtual_network.value.subnet_id : var.vnets[try(virtual_network.value.lz_key, var.client_config.landingzone_key)][virtual_network.value.vnet_key].subnets[virtual_network.value.subnet_key].id
41 | }
42 | }
43 | }
44 | }
45 |
46 | dynamic "georeplications" {
47 | for_each = try(var.georeplications, {})
48 |
49 | content {
50 | location = var.global_settings.regions[georeplications.key]
51 | tags = try(georeplications.value.tags)
52 | }
53 | }
54 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.virtual_machines.azurerm_key_vault_secret.ssh_private_key
File: /modules/compute/virtual_machine/admin_ssh_key.tf:12-24
Calling File: /compute_virtual_machines.tf:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
12 | resource "azurerm_key_vault_secret" "ssh_private_key" {
13 | for_each = local.create_sshkeys ? var.settings.virtual_machine_settings : {}
14 |
15 | name = can(azurecaf_name.legacy_computer_name[each.key].result) ? format("%s-ssh-private-key", azurecaf_name.legacy_computer_name[each.key].result) : format("%s-ssh-private-key", data.azurecaf_name.linux_computer_name[each.key].result)
16 | value = tls_private_key.ssh[each.key].private_key_pem
17 | key_vault_id = local.keyvault.id
18 |
19 | lifecycle {
20 | ignore_changes = [
21 | name, value, key_vault_id
22 | ]
23 | }
24 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.virtual_machines.azurerm_key_vault_secret.ssh_private_key
File: /modules/compute/virtual_machine/admin_ssh_key.tf:12-24
Calling File: /compute_virtual_machines.tf:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
12 | resource "azurerm_key_vault_secret" "ssh_private_key" {
13 | for_each = local.create_sshkeys ? var.settings.virtual_machine_settings : {}
14 |
15 | name = can(azurecaf_name.legacy_computer_name[each.key].result) ? format("%s-ssh-private-key", azurecaf_name.legacy_computer_name[each.key].result) : format("%s-ssh-private-key", data.azurecaf_name.linux_computer_name[each.key].result)
16 | value = tls_private_key.ssh[each.key].private_key_pem
17 | key_vault_id = local.keyvault.id
18 |
19 | lifecycle {
20 | ignore_changes = [
21 | name, value, key_vault_id
22 | ]
23 | }
24 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.virtual_machines.azurerm_key_vault_secret.ssh_public_key_openssh
File: /modules/compute/virtual_machine/admin_ssh_key.tf:26-38
Calling File: /compute_virtual_machines.tf:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
26 | resource "azurerm_key_vault_secret" "ssh_public_key_openssh" {
27 | for_each = local.create_sshkeys ? var.settings.virtual_machine_settings : {}
28 |
29 | name = can(azurecaf_name.legacy_computer_name[each.key].result) ? format("%s-ssh-public-key-openssh", azurecaf_name.legacy_computer_name[each.key].result) : format("%s-ssh-public-key-openssh", data.azurecaf_name.linux_computer_name[each.key].result)
30 | value = tls_private_key.ssh[each.key].public_key_openssh
31 | key_vault_id = local.keyvault.id
32 |
33 | lifecycle {
34 | ignore_changes = [
35 | name, value, key_vault_id
36 | ]
37 | }
38 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.virtual_machines.azurerm_key_vault_secret.ssh_public_key_openssh
File: /modules/compute/virtual_machine/admin_ssh_key.tf:26-38
Calling File: /compute_virtual_machines.tf:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
26 | resource "azurerm_key_vault_secret" "ssh_public_key_openssh" {
27 | for_each = local.create_sshkeys ? var.settings.virtual_machine_settings : {}
28 |
29 | name = can(azurecaf_name.legacy_computer_name[each.key].result) ? format("%s-ssh-public-key-openssh", azurecaf_name.legacy_computer_name[each.key].result) : format("%s-ssh-public-key-openssh", data.azurecaf_name.linux_computer_name[each.key].result)
30 | value = tls_private_key.ssh[each.key].public_key_openssh
31 | key_vault_id = local.keyvault.id
32 |
33 | lifecycle {
34 | ignore_changes = [
35 | name, value, key_vault_id
36 | ]
37 | }
38 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: module.example.module.virtual_machines.azurerm_linux_virtual_machine.vm
File: /modules/compute/virtual_machine/vm_linux.tf:49-203
Calling File: /compute_virtual_machines.tf:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_179: "Ensure VM agent is installed"
FAILED for resource: module.example.module.virtual_machines.azurerm_linux_virtual_machine.vm
File: /modules/compute/virtual_machine/vm_linux.tf:49-203
Calling File: /compute_virtual_machines.tf:3-48
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: module.example.module.virtual_machines.azurerm_windows_virtual_machine.vm
File: /modules/compute/virtual_machine/vm_windows.tf:40-189
Calling File: /compute_virtual_machines.tf:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_151: "Ensure Windows VM enables encryption"
FAILED for resource: module.example.module.virtual_machines.azurerm_windows_virtual_machine.vm
File: /modules/compute/virtual_machine/vm_windows.tf:40-189
Calling File: /compute_virtual_machines.tf:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/ensure-azure-windows-vm-enables-encryption.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_179: "Ensure VM agent is installed"
FAILED for resource: module.example.module.virtual_machines.azurerm_windows_virtual_machine.vm
File: /modules/compute/virtual_machine/vm_windows.tf:40-189
Calling File: /compute_virtual_machines.tf:3-48
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_177: "Ensure Windows VM enables automatic updates"
FAILED for resource: module.example.module.virtual_machines.azurerm_windows_virtual_machine.vm
File: /modules/compute/virtual_machine/vm_windows.tf:40-189
Calling File: /compute_virtual_machines.tf:3-48
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.virtual_machines.azurerm_key_vault_secret.admin_password
File: /modules/compute/virtual_machine/vm_windows.tf:202-214
Calling File: /compute_virtual_machines.tf:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
202 | resource "azurerm_key_vault_secret" "admin_password" {
203 | for_each = local.os_type == "windows" && try(var.settings.virtual_machine_settings[local.os_type].admin_password_key, null) == null ? var.settings.virtual_machine_settings : {}
204 |
205 | name = format("%s-admin-password", data.azurecaf_name.windows_computer_name[each.key].result)
206 | value = random_password.admin[local.os_type].result
207 | key_vault_id = local.keyvault.id
208 |
209 | lifecycle {
210 | ignore_changes = [
211 | name, value, key_vault_id
212 | ]
213 | }
214 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.virtual_machines.azurerm_key_vault_secret.admin_password
File: /modules/compute/virtual_machine/vm_windows.tf:202-214
Calling File: /compute_virtual_machines.tf:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
202 | resource "azurerm_key_vault_secret" "admin_password" {
203 | for_each = local.os_type == "windows" && try(var.settings.virtual_machine_settings[local.os_type].admin_password_key, null) == null ? var.settings.virtual_machine_settings : {}
204 |
205 | name = format("%s-admin-password", data.azurecaf_name.windows_computer_name[each.key].result)
206 | value = random_password.admin[local.os_type].result
207 | key_vault_id = local.keyvault.id
208 |
209 | lifecycle {
210 | ignore_changes = [
211 | name, value, key_vault_id
212 | ]
213 | }
214 | }
Check: CKV_AZURE_97: "Ensure that Virtual machine scale sets have encryption at host enabled"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_linux_virtual_machine_scale_set.vmss
File: /modules/compute/virtual_machine_scale_set/vmss_linux.tf:64-253
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machine-scale-sets-have-encryption-at-host-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_179: "Ensure VM agent is installed"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_linux_virtual_machine_scale_set.vmss
File: /modules/compute/virtual_machine_scale_set/vmss_linux.tf:64-253
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_49: "Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_linux_virtual_machine_scale_set.vmss
File: /modules/compute/virtual_machine_scale_set/vmss_linux.tf:64-253
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_97: "Ensure that Virtual machine scale sets have encryption at host enabled"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_linux_virtual_machine_scale_set.vmss_autoscaled
File: /modules/compute/virtual_machine_scale_set/vmss_linux.tf:255-450
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machine-scale-sets-have-encryption-at-host-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_179: "Ensure VM agent is installed"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_linux_virtual_machine_scale_set.vmss_autoscaled
File: /modules/compute/virtual_machine_scale_set/vmss_linux.tf:255-450
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_49: "Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_linux_virtual_machine_scale_set.vmss_autoscaled
File: /modules/compute/virtual_machine_scale_set/vmss_linux.tf:255-450
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_key_vault_secret.ssh_private_key
File: /modules/compute/virtual_machine_scale_set/vmss_linux.tf:456-468
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
456 | resource "azurerm_key_vault_secret" "ssh_private_key" {
457 | for_each = local.create_sshkeys ? var.settings.vmss_settings : {}
458 |
459 | name = format("%s-ssh-private-key", azurecaf_name.linux_computer_name_prefix[each.key].result)
460 | value = tls_private_key.ssh[each.key].private_key_pem
461 | key_vault_id = local.keyvault.id
462 |
463 | lifecycle {
464 | ignore_changes = [
465 | value
466 | ]
467 | }
468 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_key_vault_secret.ssh_private_key
File: /modules/compute/virtual_machine_scale_set/vmss_linux.tf:456-468
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
456 | resource "azurerm_key_vault_secret" "ssh_private_key" {
457 | for_each = local.create_sshkeys ? var.settings.vmss_settings : {}
458 |
459 | name = format("%s-ssh-private-key", azurecaf_name.linux_computer_name_prefix[each.key].result)
460 | value = tls_private_key.ssh[each.key].private_key_pem
461 | key_vault_id = local.keyvault.id
462 |
463 | lifecycle {
464 | ignore_changes = [
465 | value
466 | ]
467 | }
468 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_key_vault_secret.ssh_public_key_openssh
File: /modules/compute/virtual_machine_scale_set/vmss_linux.tf:471-483
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
471 | resource "azurerm_key_vault_secret" "ssh_public_key_openssh" {
472 | for_each = local.create_sshkeys ? var.settings.vmss_settings : {}
473 |
474 | name = format("%s-ssh-public-key-openssh", azurecaf_name.linux_computer_name_prefix[each.key].result)
475 | value = tls_private_key.ssh[each.key].public_key_openssh
476 | key_vault_id = local.keyvault.id
477 |
478 | lifecycle {
479 | ignore_changes = [
480 | value
481 | ]
482 | }
483 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_key_vault_secret.ssh_public_key_openssh
File: /modules/compute/virtual_machine_scale_set/vmss_linux.tf:471-483
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
471 | resource "azurerm_key_vault_secret" "ssh_public_key_openssh" {
472 | for_each = local.create_sshkeys ? var.settings.vmss_settings : {}
473 |
474 | name = format("%s-ssh-public-key-openssh", azurecaf_name.linux_computer_name_prefix[each.key].result)
475 | value = tls_private_key.ssh[each.key].public_key_openssh
476 | key_vault_id = local.keyvault.id
477 |
478 | lifecycle {
479 | ignore_changes = [
480 | value
481 | ]
482 | }
483 | }
Check: CKV_AZURE_97: "Ensure that Virtual machine scale sets have encryption at host enabled"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_windows_virtual_machine_scale_set.vmss
File: /modules/compute/virtual_machine_scale_set/vmss_windows.tf:59-288
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machine-scale-sets-have-encryption-at-host-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_179: "Ensure VM agent is installed"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_windows_virtual_machine_scale_set.vmss
File: /modules/compute/virtual_machine_scale_set/vmss_windows.tf:59-288
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_key_vault_secret.admin_password
File: /modules/compute/virtual_machine_scale_set/vmss_windows.tf:302-314
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
302 | resource "azurerm_key_vault_secret" "admin_password" {
303 | for_each = local.os_type == "windows" && try(var.settings.vmss_settings[local.os_type].admin_password_key, null) == null ? var.settings.vmss_settings : {}
304 |
305 | name = format("%s-admin-password", azurecaf_name.windows_computer_name_prefix[each.key].result)
306 | value = random_password.admin[local.os_type].result
307 | key_vault_id = local.keyvault.id
308 |
309 | lifecycle {
310 | ignore_changes = [
311 | value
312 | ]
313 | }
314 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.virtual_machine_scale_sets.azurerm_key_vault_secret.admin_password
File: /modules/compute/virtual_machine_scale_set/vmss_windows.tf:302-314
Calling File: /compute_virtual_machines_scale_sets.tf:3-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
302 | resource "azurerm_key_vault_secret" "admin_password" {
303 | for_each = local.os_type == "windows" && try(var.settings.vmss_settings[local.os_type].admin_password_key, null) == null ? var.settings.vmss_settings : {}
304 |
305 | name = format("%s-admin-password", azurecaf_name.windows_computer_name_prefix[each.key].result)
306 | value = random_password.admin[local.os_type].result
307 | key_vault_id = local.keyvault.id
308 |
309 | lifecycle {
310 | ignore_changes = [
311 | value
312 | ]
313 | }
314 | }
Check: CKV_AZURE_186: "Ensure App configuration encryption block is set."
FAILED for resource: module.example.module.app_config.azurerm_app_configuration.config
File: /modules/databases/app_config/app_config.tf:14-30
Calling File: /app_config.tf:1-16
14 | resource "azurerm_app_configuration" "config" {
15 | name = azurecaf_name.app_config.result
16 | resource_group_name = local.resource_group_name
17 | sku = try(var.settings.sku_name, "standard")
18 | local_auth_enabled = try(var.settings.local_auth_enabled, null)
19 | public_network_access = try(var.settings.public_network_access, null)
20 | location = local.location
21 | tags = merge(local.tags, try(var.settings.tags, {}))
22 |
23 | dynamic "identity" {
24 | for_each = lookup(var.settings, "identity", {}) == {} ? [] : [1]
25 |
26 | content {
27 | type = var.settings.identity.type
28 | }
29 | }
30 | }
Check: CKV_AZURE_187: "Ensure App configuration purge protection is enabled"
FAILED for resource: module.example.module.app_config.azurerm_app_configuration.config
File: /modules/databases/app_config/app_config.tf:14-30
Calling File: /app_config.tf:1-16
14 | resource "azurerm_app_configuration" "config" {
15 | name = azurecaf_name.app_config.result
16 | resource_group_name = local.resource_group_name
17 | sku = try(var.settings.sku_name, "standard")
18 | local_auth_enabled = try(var.settings.local_auth_enabled, null)
19 | public_network_access = try(var.settings.public_network_access, null)
20 | location = local.location
21 | tags = merge(local.tags, try(var.settings.tags, {}))
22 |
23 | dynamic "identity" {
24 | for_each = lookup(var.settings, "identity", {}) == {} ? [] : [1]
25 |
26 | content {
27 | type = var.settings.identity.type
28 | }
29 | }
30 | }
Check: CKV_AZURE_100: "Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest"
FAILED for resource: module.example.module.cosmos_dbs.azurerm_cosmosdb_account.cosmos_account
File: /modules/databases/cosmos_dbs/cosmosdb_account.tf:12-73
Calling File: /cosmos_db.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-cosmos-db-accounts-have-customer-managed-keys-to-encrypt-data-at-rest.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_48: "Ensure 'public network access enabled' is set to 'False' for MariaDB servers"
FAILED for resource: module.example.module.mariadb_servers.azurerm_mariadb_server.mariadb
File: /modules/databases/mariadb_server/server.tf:1-22
Calling File: /mariadb_servers.tf:7-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/public-policies-1/bc-azr-public-1.html
1 | resource "azurerm_mariadb_server" "mariadb" {
2 | name = azurecaf_name.mariadb.result
3 | location = local.location
4 | resource_group_name = local.resource_group_name
5 |
6 | administrator_login = var.settings.administrator_login
7 | administrator_login_password = try(var.settings.administrator_login_password, azurerm_key_vault_secret.mariadb_admin_password.0.value)
8 |
9 | sku_name = var.settings.sku_name
10 | storage_mb = var.settings.storage_mb
11 | version = var.settings.version
12 |
13 | auto_grow_enabled = try(var.settings.auto_grow_enabled, true)
14 | backup_retention_days = try(var.settings.backup_retention_days, null)
15 | geo_redundant_backup_enabled = try(var.settings.geo_redundant_backup_enabled, null)
16 | public_network_access_enabled = try(var.settings.public_network_access_enabled, false)
17 | ssl_enforcement_enabled = try(var.settings.ssl_enforcement_enabled, true)
18 | ssl_minimal_tls_version_enforced = try(var.settings.ssl_minimal_tls_version_enforced, "TLS1_2")
19 | create_mode = try(var.settings.create_mode, "Default")
20 | creation_source_server_id = try(var.settings.creation_source_server_id, null)
21 | tags = local.tags
22 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mariadb_servers.azurerm_key_vault_secret.mariadb_admin_password
File: /modules/databases/mariadb_server/server.tf:36-48
Calling File: /mariadb_servers.tf:7-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
36 | resource "azurerm_key_vault_secret" "mariadb_admin_password" {
37 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
38 |
39 | name = format("%s-password", azurecaf_name.mariadb.result)
40 | value = random_password.mariadb_admin.0.result
41 | key_vault_id = var.keyvault_id
42 |
43 | lifecycle {
44 | ignore_changes = [
45 | value
46 | ]
47 | }
48 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mariadb_servers.azurerm_key_vault_secret.mariadb_admin_password
File: /modules/databases/mariadb_server/server.tf:36-48
Calling File: /mariadb_servers.tf:7-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
36 | resource "azurerm_key_vault_secret" "mariadb_admin_password" {
37 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
38 |
39 | name = format("%s-password", azurecaf_name.mariadb.result)
40 | value = random_password.mariadb_admin.0.result
41 | key_vault_id = var.keyvault_id
42 |
43 | lifecycle {
44 | ignore_changes = [
45 | value
46 | ]
47 | }
48 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mariadb_servers.azurerm_key_vault_secret.mariadb_admin
File: /modules/databases/mariadb_server/server.tf:50-56
Calling File: /mariadb_servers.tf:7-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
50 | resource "azurerm_key_vault_secret" "mariadb_admin" {
51 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
52 |
53 | name = format("%s-username", azurecaf_name.mariadb.result)
54 | value = var.settings.administrator_login
55 | key_vault_id = var.keyvault_id
56 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mariadb_servers.azurerm_key_vault_secret.mariadb_admin
File: /modules/databases/mariadb_server/server.tf:50-56
Calling File: /mariadb_servers.tf:7-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
50 | resource "azurerm_key_vault_secret" "mariadb_admin" {
51 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
52 |
53 | name = format("%s-username", azurecaf_name.mariadb.result)
54 | value = var.settings.administrator_login
55 | key_vault_id = var.keyvault_id
56 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mariadb_servers.azurerm_key_vault_secret.mariadb_admin_login_name
File: /modules/databases/mariadb_server/server.tf:58-64
Calling File: /mariadb_servers.tf:7-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
58 | resource "azurerm_key_vault_secret" "mariadb_admin_login_name" {
59 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
60 |
61 | name = format("%s-login-name", azurecaf_name.mariadb.result)
62 | value = format("%s@%s", var.settings.administrator_login, azurerm_mariadb_server.mariadb.fqdn)
63 | key_vault_id = var.keyvault_id
64 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mariadb_servers.azurerm_key_vault_secret.mariadb_admin_login_name
File: /modules/databases/mariadb_server/server.tf:58-64
Calling File: /mariadb_servers.tf:7-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
58 | resource "azurerm_key_vault_secret" "mariadb_admin_login_name" {
59 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
60 |
61 | name = format("%s-login-name", azurecaf_name.mariadb.result)
62 | value = format("%s@%s", var.settings.administrator_login, azurerm_mariadb_server.mariadb.fqdn)
63 | key_vault_id = var.keyvault_id
64 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mariadb_servers.azurerm_key_vault_secret.mariadb_fqdn
File: /modules/databases/mariadb_server/server.tf:66-72
Calling File: /mariadb_servers.tf:7-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
66 | resource "azurerm_key_vault_secret" "mariadb_fqdn" {
67 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
68 |
69 | name = format("%s-fqdn", azurecaf_name.mariadb.result)
70 | value = azurerm_mariadb_server.mariadb.fqdn
71 | key_vault_id = var.keyvault_id
72 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mariadb_servers.azurerm_key_vault_secret.mariadb_fqdn
File: /modules/databases/mariadb_server/server.tf:66-72
Calling File: /mariadb_servers.tf:7-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
66 | resource "azurerm_key_vault_secret" "mariadb_fqdn" {
67 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
68 |
69 | name = format("%s-fqdn", azurecaf_name.mariadb.result)
70 | value = azurerm_mariadb_server.mariadb.fqdn
71 | key_vault_id = var.keyvault_id
72 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mssql_managed_instances_secondary_v1.azurerm_key_vault_secret.sqlmi_admin_password
File: /modules/databases/mssql_managed_instance_v1/managed_instance.tf:94-106
Calling File: /msssql_managed_instances_v1.tf:44-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
94 | resource "azurerm_key_vault_secret" "sqlmi_admin_password" {
95 | count = can(var.settings.administrator_login_password) ? 0 : 1
96 | name = format("%s-password", azurerm_mssql_managed_instance.mssqlmi.name)
97 | value = random_password.sqlmi_admin.0.result
98 | key_vault_id = var.keyvault.id
99 | tags = local.tags
100 |
101 | lifecycle {
102 | replace_triggered_by = [
103 | random_password.sqlmi_admin.0.id
104 | ]
105 | }
106 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mssql_managed_instances_secondary_v1.azurerm_key_vault_secret.sqlmi_admin_password
File: /modules/databases/mssql_managed_instance_v1/managed_instance.tf:94-106
Calling File: /msssql_managed_instances_v1.tf:44-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
94 | resource "azurerm_key_vault_secret" "sqlmi_admin_password" {
95 | count = can(var.settings.administrator_login_password) ? 0 : 1
96 | name = format("%s-password", azurerm_mssql_managed_instance.mssqlmi.name)
97 | value = random_password.sqlmi_admin.0.result
98 | key_vault_id = var.keyvault.id
99 | tags = local.tags
100 |
101 | lifecycle {
102 | replace_triggered_by = [
103 | random_password.sqlmi_admin.0.id
104 | ]
105 | }
106 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mssql_managed_instances_v1.azurerm_key_vault_secret.sqlmi_admin_password
File: /modules/databases/mssql_managed_instance_v1/managed_instance.tf:94-106
Calling File: /msssql_managed_instances_v1.tf:21-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
94 | resource "azurerm_key_vault_secret" "sqlmi_admin_password" {
95 | count = can(var.settings.administrator_login_password) ? 0 : 1
96 | name = format("%s-password", azurerm_mssql_managed_instance.mssqlmi.name)
97 | value = random_password.sqlmi_admin.0.result
98 | key_vault_id = var.keyvault.id
99 | tags = local.tags
100 |
101 | lifecycle {
102 | replace_triggered_by = [
103 | random_password.sqlmi_admin.0.id
104 | ]
105 | }
106 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mssql_managed_instances_v1.azurerm_key_vault_secret.sqlmi_admin_password
File: /modules/databases/mssql_managed_instance_v1/managed_instance.tf:94-106
Calling File: /msssql_managed_instances_v1.tf:21-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
94 | resource "azurerm_key_vault_secret" "sqlmi_admin_password" {
95 | count = can(var.settings.administrator_login_password) ? 0 : 1
96 | name = format("%s-password", azurerm_mssql_managed_instance.mssqlmi.name)
97 | value = random_password.sqlmi_admin.0.result
98 | key_vault_id = var.keyvault.id
99 | tags = local.tags
100 |
101 | lifecycle {
102 | replace_triggered_by = [
103 | random_password.sqlmi_admin.0.id
104 | ]
105 | }
106 | }
Check: CKV_AZURE_25: "Ensure that 'Threat Detection types' is set to 'All'"
FAILED for resource: module.example.module.mssql_servers.azurerm_mssql_server_security_alert_policy.mssql[0]
File: /modules/databases/mssql_server/security_alert.tf:15-27
Calling File: /mssql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-6.html
15 | resource "azurerm_mssql_server_security_alert_policy" "mssql" {
16 | count = try(var.settings.security_alert_policy, null) == null ? 0 : 1
17 |
18 | resource_group_name = local.resource_group_name
19 | server_name = azurerm_mssql_server.mssql.name
20 | state = try(var.settings.state, "Enabled")
21 | storage_endpoint = data.azurerm_storage_account.mssql_security_alert.0.primary_blob_endpoint
22 | storage_account_access_key = data.azurerm_storage_account.mssql_security_alert.0.primary_access_key
23 | disabled_alerts = try(var.settings.disabled_alerts, null)
24 | email_account_admins = try(var.settings.email_subscription_admins, false)
25 | email_addresses = try(var.settings.email_addresses, null)
26 | retention_days = try(var.settings.retention_days, 0)
27 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mssql_servers.azurerm_key_vault_secret.sql_admin_password
File: /modules/databases/mssql_server/server.tf:73-85
Calling File: /mssql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
73 | resource "azurerm_key_vault_secret" "sql_admin_password" {
74 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
75 |
76 | name = can(var.settings.keyvault_secret_name) ? var.settings.keyvault_secret_name : format("%s-password", azurecaf_name.mssql.result)
77 | value = random_password.sql_admin.0.result
78 | key_vault_id = var.keyvault_id
79 |
80 | lifecycle {
81 | ignore_changes = [
82 | value
83 | ]
84 | }
85 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mssql_servers.azurerm_key_vault_secret.sql_admin_password
File: /modules/databases/mssql_server/server.tf:73-85
Calling File: /mssql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
73 | resource "azurerm_key_vault_secret" "sql_admin_password" {
74 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
75 |
76 | name = can(var.settings.keyvault_secret_name) ? var.settings.keyvault_secret_name : format("%s-password", azurecaf_name.mssql.result)
77 | value = random_password.sql_admin.0.result
78 | key_vault_id = var.keyvault_id
79 |
80 | lifecycle {
81 | ignore_changes = [
82 | value
83 | ]
84 | }
85 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mysql_flexible_server.azurerm_key_vault_secret.mysql_database_name
File: /modules/databases/mysql_flexible_server/database.tf:30-36
Calling File: /mysql_flexible_servers.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
30 | resource "azurerm_key_vault_secret" "mysql_database_name" {
31 | for_each = { for key, value in var.settings.mysql_databases : key => value if can(var.settings.keyvault) }
32 |
33 | name = format("%s-ON-%s", azurerm_mysql_flexible_server.mysql.name, each.value.name)
34 | value = each.value.name
35 | key_vault_id = var.remote_objects.keyvault_id
36 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mysql_flexible_server.azurerm_key_vault_secret.mysql_database_name
File: /modules/databases/mysql_flexible_server/database.tf:30-36
Calling File: /mysql_flexible_servers.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
30 | resource "azurerm_key_vault_secret" "mysql_database_name" {
31 | for_each = { for key, value in var.settings.mysql_databases : key => value if can(var.settings.keyvault) }
32 |
33 | name = format("%s-ON-%s", azurerm_mysql_flexible_server.mysql.name, each.value.name)
34 | value = each.value.name
35 | key_vault_id = var.remote_objects.keyvault_id
36 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mysql_flexible_server.azurerm_key_vault_secret.mysql_administrator_username
File: /modules/databases/mysql_flexible_server/server.tf:72-84
Calling File: /mysql_flexible_servers.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
72 | resource "azurerm_key_vault_secret" "mysql_administrator_username" {
73 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
74 |
75 | name = format("%s-mysql-administrator-username", azurecaf_name.mysql_flexible_server.result)
76 | value = try(var.settings.administrator_username, "psqladmin")
77 | key_vault_id = var.remote_objects.keyvault_id
78 |
79 | lifecycle {
80 | ignore_changes = [
81 | value
82 | ]
83 | }
84 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mysql_flexible_server.azurerm_key_vault_secret.mysql_administrator_username
File: /modules/databases/mysql_flexible_server/server.tf:72-84
Calling File: /mysql_flexible_servers.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
72 | resource "azurerm_key_vault_secret" "mysql_administrator_username" {
73 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
74 |
75 | name = format("%s-mysql-administrator-username", azurecaf_name.mysql_flexible_server.result)
76 | value = try(var.settings.administrator_username, "psqladmin")
77 | key_vault_id = var.remote_objects.keyvault_id
78 |
79 | lifecycle {
80 | ignore_changes = [
81 | value
82 | ]
83 | }
84 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mysql_flexible_server.azurerm_key_vault_secret.mysql_administrator_password
File: /modules/databases/mysql_flexible_server/server.tf:98-110
Calling File: /mysql_flexible_servers.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
98 | resource "azurerm_key_vault_secret" "mysql_administrator_password" {
99 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
100 |
101 | name = format("%s-mysql-administrator-password", azurecaf_name.mysql_flexible_server.result)
102 | value = try(var.settings.administrator_password, random_password.mysql_administrator_password.0.result)
103 | key_vault_id = var.remote_objects.keyvault_id
104 |
105 | lifecycle {
106 | ignore_changes = [
107 | value
108 | ]
109 | }
110 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mysql_flexible_server.azurerm_key_vault_secret.mysql_administrator_password
File: /modules/databases/mysql_flexible_server/server.tf:98-110
Calling File: /mysql_flexible_servers.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
98 | resource "azurerm_key_vault_secret" "mysql_administrator_password" {
99 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
100 |
101 | name = format("%s-mysql-administrator-password", azurecaf_name.mysql_flexible_server.result)
102 | value = try(var.settings.administrator_password, random_password.mysql_administrator_password.0.result)
103 | key_vault_id = var.remote_objects.keyvault_id
104 |
105 | lifecycle {
106 | ignore_changes = [
107 | value
108 | ]
109 | }
110 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mysql_flexible_server.azurerm_key_vault_secret.mysql_fqdn
File: /modules/databases/mysql_flexible_server/server.tf:113-119
Calling File: /mysql_flexible_servers.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
113 | resource "azurerm_key_vault_secret" "mysql_fqdn" {
114 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
115 |
116 | name = format("%s-mysql-fqdn", azurecaf_name.mysql_flexible_server.result)
117 | value = azurerm_mysql_flexible_server.mysql.fqdn
118 | key_vault_id = var.remote_objects.keyvault_id
119 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mysql_flexible_server.azurerm_key_vault_secret.mysql_fqdn
File: /modules/databases/mysql_flexible_server/server.tf:113-119
Calling File: /mysql_flexible_servers.tf:6-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
113 | resource "azurerm_key_vault_secret" "mysql_fqdn" {
114 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
115 |
116 | name = format("%s-mysql-fqdn", azurecaf_name.mysql_flexible_server.result)
117 | value = azurerm_mysql_flexible_server.mysql.fqdn
118 | key_vault_id = var.remote_objects.keyvault_id
119 | }
Check: CKV_AZURE_127: "Ensure that My SQL server enables Threat detection policy"
FAILED for resource: module.example.module.mysql_servers.azurerm_mysql_server.mysql
File: /modules/databases/mysql_server/server.tf:1-33
Calling File: /mysql_servers.tf:7-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-my-sql-server-enables-threat-detection-policy.html
1 | resource "azurerm_mysql_server" "mysql" {
2 |
3 | name = azurecaf_name.mysql.result
4 | resource_group_name = local.resource_group_name
5 | location = local.location
6 | version = var.settings.version
7 | sku_name = var.settings.sku_name
8 |
9 | administrator_login = var.settings.administrator_login
10 | administrator_login_password = try(var.settings.administrator_login_password, azurerm_key_vault_secret.mysql_admin_password.0.value)
11 |
12 | auto_grow_enabled = try(var.settings.auto_grow_enabled, true)
13 | storage_mb = var.settings.storage_mb
14 | backup_retention_days = try(var.settings.backup_retention_days, null)
15 | create_mode = try(var.settings.create_mode, "Default")
16 | creation_source_server_id = try(var.settings.creation_source_server_id, null)
17 | geo_redundant_backup_enabled = try(var.settings.geo_redundant_backup_enabled, null)
18 | infrastructure_encryption_enabled = try(var.settings.infrastructure_encryption_enabled, false)
19 | restore_point_in_time = try(var.settings.restore_point_in_time, null)
20 | public_network_access_enabled = try(var.settings.public_network_access_enabled, true)
21 | ssl_enforcement_enabled = try(var.settings.ssl_enforcement_enabled, true)
22 | ssl_minimal_tls_version_enforced = try(var.settings.ssl_minimal_tls_version_enforced, "TLSEnforcementDisabled")
23 | tags = local.tags
24 |
25 | dynamic "identity" {
26 | for_each = lookup(var.settings, "identity", {}) == {} ? [] : [1]
27 |
28 | content {
29 | type = var.settings.identity.type
30 | }
31 | }
32 |
33 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mysql_servers.azurerm_key_vault_secret.mysql_admin_password
File: /modules/databases/mysql_server/server.tf:55-67
Calling File: /mysql_servers.tf:7-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
55 | resource "azurerm_key_vault_secret" "mysql_admin_password" {
56 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
57 |
58 | name = format("%s-password", azurecaf_name.mysql.result)
59 | value = random_password.mysql_admin.0.result
60 | key_vault_id = var.keyvault_id
61 |
62 | lifecycle {
63 | ignore_changes = [
64 | value
65 | ]
66 | }
67 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mysql_servers.azurerm_key_vault_secret.mysql_admin_password
File: /modules/databases/mysql_server/server.tf:55-67
Calling File: /mysql_servers.tf:7-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
55 | resource "azurerm_key_vault_secret" "mysql_admin_password" {
56 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
57 |
58 | name = format("%s-password", azurecaf_name.mysql.result)
59 | value = random_password.mysql_admin.0.result
60 | key_vault_id = var.keyvault_id
61 |
62 | lifecycle {
63 | ignore_changes = [
64 | value
65 | ]
66 | }
67 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mysql_servers.azurerm_key_vault_secret.sql_admin
File: /modules/databases/mysql_server/server.tf:69-75
Calling File: /mysql_servers.tf:7-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
69 | resource "azurerm_key_vault_secret" "sql_admin" {
70 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
71 |
72 | name = format("%s-username", azurecaf_name.mysql.result)
73 | value = var.settings.administrator_login
74 | key_vault_id = var.keyvault_id
75 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mysql_servers.azurerm_key_vault_secret.sql_admin
File: /modules/databases/mysql_server/server.tf:69-75
Calling File: /mysql_servers.tf:7-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
69 | resource "azurerm_key_vault_secret" "sql_admin" {
70 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
71 |
72 | name = format("%s-username", azurecaf_name.mysql.result)
73 | value = var.settings.administrator_login
74 | key_vault_id = var.keyvault_id
75 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mysql_servers.azurerm_key_vault_secret.mysql_admin_login_name
File: /modules/databases/mysql_server/server.tf:77-83
Calling File: /mysql_servers.tf:7-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
77 | resource "azurerm_key_vault_secret" "mysql_admin_login_name" {
78 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
79 |
80 | name = format("%s-login-name", azurecaf_name.mysql.result)
81 | value = format("%s@%s", var.settings.administrator_login, azurerm_mysql_server.mysql.fqdn)
82 | key_vault_id = var.keyvault_id
83 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mysql_servers.azurerm_key_vault_secret.mysql_admin_login_name
File: /modules/databases/mysql_server/server.tf:77-83
Calling File: /mysql_servers.tf:7-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
77 | resource "azurerm_key_vault_secret" "mysql_admin_login_name" {
78 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
79 |
80 | name = format("%s-login-name", azurecaf_name.mysql.result)
81 | value = format("%s@%s", var.settings.administrator_login, azurerm_mysql_server.mysql.fqdn)
82 | key_vault_id = var.keyvault_id
83 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.mysql_servers.azurerm_key_vault_secret.mysql_fqdn
File: /modules/databases/mysql_server/server.tf:85-91
Calling File: /mysql_servers.tf:7-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
85 | resource "azurerm_key_vault_secret" "mysql_fqdn" {
86 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
87 |
88 | name = format("%s-fqdn", azurecaf_name.mysql.result)
89 | value = azurerm_mysql_server.mysql.fqdn
90 | key_vault_id = var.keyvault_id
91 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.mysql_servers.azurerm_key_vault_secret.mysql_fqdn
File: /modules/databases/mysql_server/server.tf:85-91
Calling File: /mysql_servers.tf:7-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
85 | resource "azurerm_key_vault_secret" "mysql_fqdn" {
86 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
87 |
88 | name = format("%s-fqdn", azurecaf_name.mysql.result)
89 | value = azurerm_mysql_server.mysql.fqdn
90 | key_vault_id = var.keyvault_id
91 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.postgresql_flexible_servers.azurerm_key_vault_secret.postgresql_database_name
File: /modules/databases/postgresql_flexible_server/database.tf:24-30
Calling File: /postgresql_flexible_servers.tf:5-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
24 | resource "azurerm_key_vault_secret" "postgresql_database_name" {
25 | for_each = { for key, value in var.settings.postgresql_databases : key => value if can(var.settings.keyvault) }
26 |
27 | name = format("%s-ON-%s", each.value.name, azurecaf_name.postgresql_flexible_server.result)
28 | value = each.value.name
29 | key_vault_id = var.remote_objects.keyvault_id
30 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.postgresql_flexible_servers.azurerm_key_vault_secret.postgresql_database_name
File: /modules/databases/postgresql_flexible_server/database.tf:24-30
Calling File: /postgresql_flexible_servers.tf:5-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
24 | resource "azurerm_key_vault_secret" "postgresql_database_name" {
25 | for_each = { for key, value in var.settings.postgresql_databases : key => value if can(var.settings.keyvault) }
26 |
27 | name = format("%s-ON-%s", each.value.name, azurecaf_name.postgresql_flexible_server.result)
28 | value = each.value.name
29 | key_vault_id = var.remote_objects.keyvault_id
30 | }
Check: CKV_AZURE_136: "Ensure that PostgreSQL Flexible server enables geo-redundant backups"
FAILED for resource: module.example.module.postgresql_flexible_servers.azurerm_postgresql_flexible_server.postgresql
File: /modules/databases/postgresql_flexible_server/server.tf:11-68
Calling File: /postgresql_flexible_servers.tf:5-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-azure-postgresql-flexible-server-enables-geo-redundant-backups.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.postgresql_flexible_servers.azurerm_key_vault_secret.postgresql_administrator_username
File: /modules/databases/postgresql_flexible_server/server.tf:71-83
Calling File: /postgresql_flexible_servers.tf:5-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
71 | resource "azurerm_key_vault_secret" "postgresql_administrator_username" {
72 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
73 |
74 | name = format("%s-username", azurecaf_name.postgresql_flexible_server.result)
75 | value = try(var.settings.administrator_username, "pgadmin")
76 | key_vault_id = var.remote_objects.keyvault_id
77 |
78 | lifecycle {
79 | ignore_changes = [
80 | value
81 | ]
82 | }
83 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.postgresql_flexible_servers.azurerm_key_vault_secret.postgresql_administrator_username
File: /modules/databases/postgresql_flexible_server/server.tf:71-83
Calling File: /postgresql_flexible_servers.tf:5-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
71 | resource "azurerm_key_vault_secret" "postgresql_administrator_username" {
72 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
73 |
74 | name = format("%s-username", azurecaf_name.postgresql_flexible_server.result)
75 | value = try(var.settings.administrator_username, "pgadmin")
76 | key_vault_id = var.remote_objects.keyvault_id
77 |
78 | lifecycle {
79 | ignore_changes = [
80 | value
81 | ]
82 | }
83 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.postgresql_flexible_servers.azurerm_key_vault_secret.postgresql_administrator_password
File: /modules/databases/postgresql_flexible_server/server.tf:97-109
Calling File: /postgresql_flexible_servers.tf:5-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
97 | resource "azurerm_key_vault_secret" "postgresql_administrator_password" {
98 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
99 |
100 | name = format("%s-password", azurecaf_name.postgresql_flexible_server.result)
101 | value = try(var.settings.administrator_password, random_password.postgresql_administrator_password.0.result)
102 | key_vault_id = var.remote_objects.keyvault_id
103 |
104 | lifecycle {
105 | ignore_changes = [
106 | value
107 | ]
108 | }
109 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.postgresql_flexible_servers.azurerm_key_vault_secret.postgresql_administrator_password
File: /modules/databases/postgresql_flexible_server/server.tf:97-109
Calling File: /postgresql_flexible_servers.tf:5-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
97 | resource "azurerm_key_vault_secret" "postgresql_administrator_password" {
98 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
99 |
100 | name = format("%s-password", azurecaf_name.postgresql_flexible_server.result)
101 | value = try(var.settings.administrator_password, random_password.postgresql_administrator_password.0.result)
102 | key_vault_id = var.remote_objects.keyvault_id
103 |
104 | lifecycle {
105 | ignore_changes = [
106 | value
107 | ]
108 | }
109 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.postgresql_flexible_servers.azurerm_key_vault_secret.postgresql_fqdn
File: /modules/databases/postgresql_flexible_server/server.tf:112-118
Calling File: /postgresql_flexible_servers.tf:5-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
112 | resource "azurerm_key_vault_secret" "postgresql_fqdn" {
113 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
114 |
115 | name = format("%s-fqdn", azurecaf_name.postgresql_flexible_server.result)
116 | value = azurerm_postgresql_flexible_server.postgresql.fqdn
117 | key_vault_id = var.remote_objects.keyvault_id
118 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.postgresql_flexible_servers.azurerm_key_vault_secret.postgresql_fqdn
File: /modules/databases/postgresql_flexible_server/server.tf:112-118
Calling File: /postgresql_flexible_servers.tf:5-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
112 | resource "azurerm_key_vault_secret" "postgresql_fqdn" {
113 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
114 |
115 | name = format("%s-fqdn", azurecaf_name.postgresql_flexible_server.result)
116 | value = azurerm_postgresql_flexible_server.postgresql.fqdn
117 | key_vault_id = var.remote_objects.keyvault_id
118 | }
Check: CKV_AZURE_128: "Ensure that PostgreSQL server enables Threat detection policy"
FAILED for resource: module.example.module.postgresql_servers.azurerm_postgresql_server.postgresql
File: /modules/databases/postgresql_server/server.tf:1-34
Calling File: /postgresql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-postgresql-server-enables-threat-detection-policy.html
1 | resource "azurerm_postgresql_server" "postgresql" {
2 |
3 | name = azurecaf_name.postgresql.result
4 | resource_group_name = local.resource_group_name
5 | location = local.location
6 | version = var.settings.version
7 | sku_name = var.settings.sku_name
8 |
9 | administrator_login = var.settings.administrator_login
10 | administrator_login_password = try(var.settings.administrator_login_password, azurerm_key_vault_secret.postgresql_admin_password.0.value)
11 |
12 | auto_grow_enabled = try(var.settings.auto_grow_enabled, false)
13 | storage_mb = try(var.settings.storage_mb, null)
14 | backup_retention_days = try(var.settings.backup_retention_days, null)
15 | create_mode = try(var.settings.create_mode, "Default")
16 | creation_source_server_id = try(var.settings.creation_source_server_id, null)
17 | geo_redundant_backup_enabled = try(var.settings.geo_redundant_backup_enabled, null)
18 | infrastructure_encryption_enabled = try(var.settings.infrastructure_encryption_enableduto_grow_enabled, false)
19 | restore_point_in_time = try(var.settings.restore_point_in_time, null)
20 | public_network_access_enabled = try(var.settings.public_network_access_enabled, true)
21 | ssl_enforcement_enabled = try(var.settings.ssl_enforcement_enabled, true)
22 | ssl_minimal_tls_version_enforced = try(var.settings.ssl_minimal_tls_version_enforced, "TLSEnforcementDisabled")
23 | tags = local.tags
24 |
25 |
26 | dynamic "identity" {
27 | for_each = lookup(var.settings, "identity", {}) == {} ? [] : [1]
28 |
29 | content {
30 | type = var.settings.identity.type
31 | }
32 | }
33 |
34 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.postgresql_servers.azurerm_key_vault_secret.postgresql_admin_password
File: /modules/databases/postgresql_server/server.tf:57-69
Calling File: /postgresql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
57 | resource "azurerm_key_vault_secret" "postgresql_admin_password" {
58 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
59 |
60 | name = format("%s-password", azurecaf_name.postgresql.result)
61 | value = random_password.postgresql_admin.0.result
62 | key_vault_id = var.keyvault_id
63 |
64 | lifecycle {
65 | ignore_changes = [
66 | value
67 | ]
68 | }
69 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.postgresql_servers.azurerm_key_vault_secret.postgresql_admin_password
File: /modules/databases/postgresql_server/server.tf:57-69
Calling File: /postgresql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
57 | resource "azurerm_key_vault_secret" "postgresql_admin_password" {
58 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
59 |
60 | name = format("%s-password", azurecaf_name.postgresql.result)
61 | value = random_password.postgresql_admin.0.result
62 | key_vault_id = var.keyvault_id
63 |
64 | lifecycle {
65 | ignore_changes = [
66 | value
67 | ]
68 | }
69 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.postgresql_servers.azurerm_key_vault_secret.sql_admin
File: /modules/databases/postgresql_server/server.tf:71-77
Calling File: /postgresql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
71 | resource "azurerm_key_vault_secret" "sql_admin" {
72 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
73 |
74 | name = format("%s-username", azurecaf_name.postgresql.result)
75 | value = var.settings.administrator_login
76 | key_vault_id = var.keyvault_id
77 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.postgresql_servers.azurerm_key_vault_secret.sql_admin
File: /modules/databases/postgresql_server/server.tf:71-77
Calling File: /postgresql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
71 | resource "azurerm_key_vault_secret" "sql_admin" {
72 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
73 |
74 | name = format("%s-username", azurecaf_name.postgresql.result)
75 | value = var.settings.administrator_login
76 | key_vault_id = var.keyvault_id
77 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.postgresql_servers.azurerm_key_vault_secret.postgresql_admin_login_name
File: /modules/databases/postgresql_server/server.tf:79-85
Calling File: /postgresql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
79 | resource "azurerm_key_vault_secret" "postgresql_admin_login_name" {
80 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
81 |
82 | name = format("%s-login-name", azurecaf_name.postgresql.result)
83 | value = format("%s@%s", var.settings.administrator_login, azurerm_postgresql_server.postgresql.fqdn)
84 | key_vault_id = var.keyvault_id
85 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.postgresql_servers.azurerm_key_vault_secret.postgresql_admin_login_name
File: /modules/databases/postgresql_server/server.tf:79-85
Calling File: /postgresql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
79 | resource "azurerm_key_vault_secret" "postgresql_admin_login_name" {
80 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
81 |
82 | name = format("%s-login-name", azurecaf_name.postgresql.result)
83 | value = format("%s@%s", var.settings.administrator_login, azurerm_postgresql_server.postgresql.fqdn)
84 | key_vault_id = var.keyvault_id
85 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.postgresql_servers.azurerm_key_vault_secret.postgresql_fqdn
File: /modules/databases/postgresql_server/server.tf:87-93
Calling File: /postgresql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
87 | resource "azurerm_key_vault_secret" "postgresql_fqdn" {
88 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
89 |
90 | name = format("%s-fqdn", azurecaf_name.postgresql.result)
91 | value = azurerm_postgresql_server.postgresql.fqdn
92 | key_vault_id = var.keyvault_id
93 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.postgresql_servers.azurerm_key_vault_secret.postgresql_fqdn
File: /modules/databases/postgresql_server/server.tf:87-93
Calling File: /postgresql_servers.tf:7-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
87 | resource "azurerm_key_vault_secret" "postgresql_fqdn" {
88 | count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
89 |
90 | name = format("%s-fqdn", azurecaf_name.postgresql.result)
91 | value = azurerm_postgresql_server.postgresql.fqdn
92 | key_vault_id = var.keyvault_id
93 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.maps_accounts.azurerm_key_vault_secret.primary_access_key
File: /modules/maps/maps_account/maps_account.tf:21-27
Calling File: /maps_account.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
21 | resource "azurerm_key_vault_secret" "primary_access_key" {
22 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
23 |
24 | name = format("%s-primary-key", data.azurecaf_name.map.result)
25 | value = azurerm_maps_account.map.primary_access_key
26 | key_vault_id = var.remote_objects.keyvaults[try(var.settings.keyvault.lz_key, var.client_config.landingzone_key)][var.settings.keyvault.key].id
27 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.maps_accounts.azurerm_key_vault_secret.primary_access_key
File: /modules/maps/maps_account/maps_account.tf:21-27
Calling File: /maps_account.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
21 | resource "azurerm_key_vault_secret" "primary_access_key" {
22 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
23 |
24 | name = format("%s-primary-key", data.azurecaf_name.map.result)
25 | value = azurerm_maps_account.map.primary_access_key
26 | key_vault_id = var.remote_objects.keyvaults[try(var.settings.keyvault.lz_key, var.client_config.landingzone_key)][var.settings.keyvault.key].id
27 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.maps_accounts.azurerm_key_vault_secret.secondary_access_key
File: /modules/maps/maps_account/maps_account.tf:30-36
Calling File: /maps_account.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
30 | resource "azurerm_key_vault_secret" "secondary_access_key" {
31 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
32 |
33 | name = format("%s-secondary-key", data.azurecaf_name.map.result)
34 | value = azurerm_maps_account.map.secondary_access_key
35 | key_vault_id = var.remote_objects.keyvaults[try(var.settings.keyvault.lz_key, var.client_config.landingzone_key)][var.settings.keyvault.key].id
36 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.maps_accounts.azurerm_key_vault_secret.secondary_access_key
File: /modules/maps/maps_account/maps_account.tf:30-36
Calling File: /maps_account.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
30 | resource "azurerm_key_vault_secret" "secondary_access_key" {
31 | count = lookup(var.settings, "keyvault", null) == null ? 0 : 1
32 |
33 | name = format("%s-secondary-key", data.azurecaf_name.map.result)
34 | value = azurerm_maps_account.map.secondary_access_key
35 | key_vault_id = var.remote_objects.keyvaults[try(var.settings.keyvault.lz_key, var.client_config.landingzone_key)][var.settings.keyvault.key].id
36 | }
Check: CKV_AZURE_205: "Ensure Azure Service Bus is using the latest version of TLS encryption"
FAILED for resource: module.example.module.servicebus_namespaces.azurerm_servicebus_namespace.namespace
File: /modules/messaging/servicebus/namespace/namespace.tf:13-21
Calling File: /messaging_servicebus_namespaces.tf:1-18
13 | resource "azurerm_servicebus_namespace" "namespace" {
14 | name = azurecaf_name.namespace.result
15 | sku = var.settings.sku
16 | capacity = try(var.settings.capacity, null)
17 | zone_redundant = try(var.settings.zone_redundant, null)
18 | tags = merge(local.base_tags, try(var.settings.tags, {}))
19 | location = local.location
20 | resource_group_name = local.resource_group_name
21 | }
Check: CKV_AZURE_201: "Ensure that Azure Service Bus uses a customer-managed key to encrypt data"
FAILED for resource: module.example.module.servicebus_namespaces.azurerm_servicebus_namespace.namespace
File: /modules/messaging/servicebus/namespace/namespace.tf:13-21
Calling File: /messaging_servicebus_namespaces.tf:1-18
13 | resource "azurerm_servicebus_namespace" "namespace" {
14 | name = azurecaf_name.namespace.result
15 | sku = var.settings.sku
16 | capacity = try(var.settings.capacity, null)
17 | zone_redundant = try(var.settings.zone_redundant, null)
18 | tags = merge(local.base_tags, try(var.settings.tags, {}))
19 | location = local.location
20 | resource_group_name = local.resource_group_name
21 | }
Check: CKV_AZURE_202: "Ensure that Managed identity provider is enabled for Azure Service Bus"
FAILED for resource: module.example.module.servicebus_namespaces.azurerm_servicebus_namespace.namespace
File: /modules/messaging/servicebus/namespace/namespace.tf:13-21
Calling File: /messaging_servicebus_namespaces.tf:1-18
13 | resource "azurerm_servicebus_namespace" "namespace" {
14 | name = azurecaf_name.namespace.result
15 | sku = var.settings.sku
16 | capacity = try(var.settings.capacity, null)
17 | zone_redundant = try(var.settings.zone_redundant, null)
18 | tags = merge(local.base_tags, try(var.settings.tags, {}))
19 | location = local.location
20 | resource_group_name = local.resource_group_name
21 | }
Check: CKV_AZURE_199: "Ensure that Azure Service Bus uses double encryption"
FAILED for resource: module.example.module.servicebus_namespaces.azurerm_servicebus_namespace.namespace
File: /modules/messaging/servicebus/namespace/namespace.tf:13-21
Calling File: /messaging_servicebus_namespaces.tf:1-18
13 | resource "azurerm_servicebus_namespace" "namespace" {
14 | name = azurecaf_name.namespace.result
15 | sku = var.settings.sku
16 | capacity = try(var.settings.capacity, null)
17 | zone_redundant = try(var.settings.zone_redundant, null)
18 | tags = merge(local.base_tags, try(var.settings.tags, {}))
19 | location = local.location
20 | resource_group_name = local.resource_group_name
21 | }
Check: CKV_AZURE_204: "Ensure 'public network access enabled' is set to 'False' for Azure Service Bus"
FAILED for resource: module.example.module.servicebus_namespaces.azurerm_servicebus_namespace.namespace
File: /modules/messaging/servicebus/namespace/namespace.tf:13-21
Calling File: /messaging_servicebus_namespaces.tf:1-18
13 | resource "azurerm_servicebus_namespace" "namespace" {
14 | name = azurecaf_name.namespace.result
15 | sku = var.settings.sku
16 | capacity = try(var.settings.capacity, null)
17 | zone_redundant = try(var.settings.zone_redundant, null)
18 | tags = merge(local.base_tags, try(var.settings.tags, {}))
19 | location = local.location
20 | resource_group_name = local.resource_group_name
21 | }
Check: CKV_AZURE_203: "Ensure Azure Service Bus Local Authentication is disabled"
FAILED for resource: module.example.module.servicebus_namespaces.azurerm_servicebus_namespace.namespace
File: /modules/messaging/servicebus/namespace/namespace.tf:13-21
Calling File: /messaging_servicebus_namespaces.tf:1-18
13 | resource "azurerm_servicebus_namespace" "namespace" {
14 | name = azurecaf_name.namespace.result
15 | sku = var.settings.sku
16 | capacity = try(var.settings.capacity, null)
17 | zone_redundant = try(var.settings.zone_redundant, null)
18 | tags = merge(local.base_tags, try(var.settings.tags, {}))
19 | location = local.location
20 | resource_group_name = local.resource_group_name
21 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.web_pubsubs.azurerm_key_vault_secret.primary_access_key
File: /modules/messaging/web_pubsub/keyvault_secrets.tf:2-7
Calling File: /web_pubsubs.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
2 | resource "azurerm_key_vault_secret" "primary_access_key" {
3 | for_each = try(var.settings.keyvaults, {})
4 | name = format("%s-primary-access-key", each.value.secret_prefix)
5 | value = azurerm_web_pubsub.wps.primary_access_key
6 | key_vault_id = try(each.value.lz_key, null) == null ? var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id : var.remote_objects.keyvaults[each.value.lz_key][each.key].id
7 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.web_pubsubs.azurerm_key_vault_secret.primary_access_key
File: /modules/messaging/web_pubsub/keyvault_secrets.tf:2-7
Calling File: /web_pubsubs.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
2 | resource "azurerm_key_vault_secret" "primary_access_key" {
3 | for_each = try(var.settings.keyvaults, {})
4 | name = format("%s-primary-access-key", each.value.secret_prefix)
5 | value = azurerm_web_pubsub.wps.primary_access_key
6 | key_vault_id = try(each.value.lz_key, null) == null ? var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id : var.remote_objects.keyvaults[each.value.lz_key][each.key].id
7 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.web_pubsubs.azurerm_key_vault_secret.primary_connection_string
File: /modules/messaging/web_pubsub/keyvault_secrets.tf:9-14
Calling File: /web_pubsubs.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
9 | resource "azurerm_key_vault_secret" "primary_connection_string" {
10 | for_each = try(var.settings.keyvaults, {})
11 | name = format("%s-primary-connection-string", each.value.secret_prefix)
12 | value = azurerm_web_pubsub.wps.primary_connection_string
13 | key_vault_id = try(each.value.lz_key, null) == null ? var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id : var.remote_objects.keyvaults[each.value.lz_key][each.key].id
14 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.web_pubsubs.azurerm_key_vault_secret.primary_connection_string
File: /modules/messaging/web_pubsub/keyvault_secrets.tf:9-14
Calling File: /web_pubsubs.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
9 | resource "azurerm_key_vault_secret" "primary_connection_string" {
10 | for_each = try(var.settings.keyvaults, {})
11 | name = format("%s-primary-connection-string", each.value.secret_prefix)
12 | value = azurerm_web_pubsub.wps.primary_connection_string
13 | key_vault_id = try(each.value.lz_key, null) == null ? var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id : var.remote_objects.keyvaults[each.value.lz_key][each.key].id
14 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.web_pubsubs.azurerm_key_vault_secret.secondary_access_key
File: /modules/messaging/web_pubsub/keyvault_secrets.tf:16-21
Calling File: /web_pubsubs.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
16 | resource "azurerm_key_vault_secret" "secondary_access_key" {
17 | for_each = try(var.settings.keyvaults, {})
18 | name = format("%s-secondary-access-key", each.value.secret_prefix)
19 | value = azurerm_web_pubsub.wps.secondary_access_key
20 | key_vault_id = try(each.value.lz_key, null) == null ? var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id : var.remote_objects.keyvaults[each.value.lz_key][each.key].id
21 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.web_pubsubs.azurerm_key_vault_secret.secondary_access_key
File: /modules/messaging/web_pubsub/keyvault_secrets.tf:16-21
Calling File: /web_pubsubs.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
16 | resource "azurerm_key_vault_secret" "secondary_access_key" {
17 | for_each = try(var.settings.keyvaults, {})
18 | name = format("%s-secondary-access-key", each.value.secret_prefix)
19 | value = azurerm_web_pubsub.wps.secondary_access_key
20 | key_vault_id = try(each.value.lz_key, null) == null ? var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id : var.remote_objects.keyvaults[each.value.lz_key][each.key].id
21 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.web_pubsubs.azurerm_key_vault_secret.secondary_connection_string
File: /modules/messaging/web_pubsub/keyvault_secrets.tf:23-28
Calling File: /web_pubsubs.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
23 | resource "azurerm_key_vault_secret" "secondary_connection_string" {
24 | for_each = try(var.settings.keyvaults, {})
25 | name = format("%s-secondary-connection-string", each.value.secret_prefix)
26 | value = azurerm_web_pubsub.wps.secondary_connection_string
27 | key_vault_id = try(each.value.lz_key, null) == null ? var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id : var.remote_objects.keyvaults[each.value.lz_key][each.key].id
28 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.web_pubsubs.azurerm_key_vault_secret.secondary_connection_string
File: /modules/messaging/web_pubsub/keyvault_secrets.tf:23-28
Calling File: /web_pubsubs.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
23 | resource "azurerm_key_vault_secret" "secondary_connection_string" {
24 | for_each = try(var.settings.keyvaults, {})
25 | name = format("%s-secondary-connection-string", each.value.secret_prefix)
26 | value = azurerm_web_pubsub.wps.secondary_connection_string
27 | key_vault_id = try(each.value.lz_key, null) == null ? var.remote_objects.keyvaults[var.client_config.landingzone_key][each.key].id : var.remote_objects.keyvaults[each.value.lz_key][each.key].id
28 | }
Check: CKV_AZURE_218: "Ensure Application Gateway defines secure protocols for in transit communication"
FAILED for resource: module.example.module.application_gateways.azurerm_application_gateway.agw
File: /modules/networking/application_gateway/application_gateway.tf:29-381
Calling File: /application_gateways.tf:1-32
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_218: "Ensure Application Gateway defines secure protocols for in transit communication"
FAILED for resource: module.example.module.application_gateway_platforms.azurerm_application_gateway.agw
File: /modules/networking/application_gateway_platform/application_gateway.tf:29-226
Calling File: /application_gateway_platforms.tf:1-25
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_135: "Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: module.example.module.application_gateway_waf_policies.azurerm_web_application_firewall_policy.wafpolicy
File: /modules/networking/application_gateway_waf_policies/waf_policy.tf:1-93
Calling File: /application_gateway_waf_policies.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-application-gateway-waf-prevents-message-lookup-in-log4j2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_133: "Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: module.example.module.front_door_waf_policies.azurerm_frontdoor_firewall_policy.wafpolicy
File: /modules/networking/front_door_waf_policy/waf_policy.tf:1-92
Calling File: /front_door_waf_policies.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-front-door-waf-prevents-message-lookup-in-log4j2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_183: "Ensure that VNET uses local DNS addresses"
FAILED for resource: module.example.module.networking.azurerm_virtual_network.vnet
File: /modules/networking/virtual_network/module.tf:13-41
Calling File: /networking.tf:29-62
13 | resource "azurerm_virtual_network" "vnet" {
14 | name = azurecaf_name.caf_name_vnet.result
15 | location = local.location
16 | resource_group_name = local.resource_group_name
17 | address_space = var.settings.vnet.address_space
18 | tags = local.tags
19 |
20 | dns_servers = flatten(
21 | concat(
22 | try(lookup(var.settings.vnet, "dns_servers", [])),
23 | try(local.dns_servers_process, [])
24 | )
25 | )
26 |
27 | bgp_community = try(var.settings.vnet.bgp_community, null)
28 |
29 | dynamic "ddos_protection_plan" {
30 | for_each = var.ddos_id != "" || can(var.global_settings["ddos_protection_plan_id"]) ? [1] : []
31 |
32 | content {
33 | id = var.ddos_id != "" ? var.ddos_id : var.global_settings["ddos_protection_plan_id"]
34 | enable = true
35 | }
36 | }
37 |
38 | lifecycle {
39 | ignore_changes = [name]
40 | }
41 | }
Check: CKV_AZURE_12: "Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'"
FAILED for resource: module.example.module.network_security_groups.module.nsg_flows.azurerm_network_watcher_flow_log.flow[0]
File: /modules/networking/virtual_network/nsg/flow_logs/flow_logs.tf:1-36
Calling File: /modules/networking/network_security_group/nsg_flow_logs.tf:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-1.html
1 | resource "azurerm_network_watcher_flow_log" "flow" {
2 | count = try(var.settings, {}) == {} ? 0 : 1
3 |
4 |
5 | network_watcher_name = try(
6 | var.network_watchers[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.network_watcher_key].name,
7 | format("NetworkWatcher_%s", var.resource_location)
8 | )
9 |
10 | resource_group_name = try(
11 | var.network_watchers[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.network_watcher_key].resource_group_name,
12 | "NetworkWatcherRG"
13 | )
14 | name = var.settings.name
15 | version = try(var.settings.version, 2)
16 | network_security_group_id = var.resource_id
17 | storage_account_id = try(var.diagnostics.diagnostics_destinations.storage[var.settings.storage_account.storage_account_destination][var.resource_location].storage_account_resource_id,
18 | var.diagnostics.storage_accounts[var.diagnostics.diagnostics_destinations.storage[var.settings.storage_account.storage_account_destination][var.resource_location].storage_account_key].id)
19 | enabled = try(var.settings.enabled, false)
20 |
21 | retention_policy {
22 | enabled = try(var.settings.storage_account.retention.enabled, true)
23 | days = try(var.settings.storage_account.retention.days, 10)
24 | }
25 |
26 | dynamic "traffic_analytics" {
27 | for_each = try(var.settings.traffic_analytics, {}) != {} ? [1] : []
28 | content {
29 | enabled = var.settings.traffic_analytics.enabled
30 | interval_in_minutes = try(var.settings.traffic_analytics.interval_in_minutes, null)
31 | workspace_id = can(var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_workspace_id) ? var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_workspace_id : var.diagnostics.log_analytics[var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_key].workspace_id
32 | workspace_region = var.resource_location
33 | workspace_resource_id = can(var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_resource_id) ? var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_resource_id : var.diagnostics.log_analytics[var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_key].id
34 | }
35 | }
36 | }
Check: CKV_AZURE_12: "Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'"
FAILED for resource: module.example.module.networking.module.nsg.module.nsg_flows.azurerm_network_watcher_flow_log.flow[0]
File: /modules/networking/virtual_network/nsg/flow_logs/flow_logs.tf:1-36
Calling File: /modules/networking/virtual_network/nsg/nsg_flow_logs.tf:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-1.html
1 | resource "azurerm_network_watcher_flow_log" "flow" {
2 | count = try(var.settings, {}) == {} ? 0 : 1
3 |
4 |
5 | network_watcher_name = try(
6 | var.network_watchers[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.network_watcher_key].name,
7 | format("NetworkWatcher_%s", var.resource_location)
8 | )
9 |
10 | resource_group_name = try(
11 | var.network_watchers[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.network_watcher_key].resource_group_name,
12 | "NetworkWatcherRG"
13 | )
14 | name = var.settings.name
15 | version = try(var.settings.version, 2)
16 | network_security_group_id = var.resource_id
17 | storage_account_id = try(var.diagnostics.diagnostics_destinations.storage[var.settings.storage_account.storage_account_destination][var.resource_location].storage_account_resource_id,
18 | var.diagnostics.storage_accounts[var.diagnostics.diagnostics_destinations.storage[var.settings.storage_account.storage_account_destination][var.resource_location].storage_account_key].id)
19 | enabled = try(var.settings.enabled, false)
20 |
21 | retention_policy {
22 | enabled = try(var.settings.storage_account.retention.enabled, true)
23 | days = try(var.settings.storage_account.retention.days, 10)
24 | }
25 |
26 | dynamic "traffic_analytics" {
27 | for_each = try(var.settings.traffic_analytics, {}) != {} ? [1] : []
28 | content {
29 | enabled = var.settings.traffic_analytics.enabled
30 | interval_in_minutes = try(var.settings.traffic_analytics.interval_in_minutes, null)
31 | workspace_id = can(var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_workspace_id) ? var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_workspace_id : var.diagnostics.log_analytics[var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_key].workspace_id
32 | workspace_region = var.resource_location
33 | workspace_resource_id = can(var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_resource_id) ? var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_resource_id : var.diagnostics.log_analytics[var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_key].id
34 | }
35 | }
36 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.dynamic_keyvault_secrets.module.secret.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret/keyvault_secret.tf:1-11
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | name = var.name
3 | value = var.value
4 | key_vault_id = var.keyvault_id
5 |
6 | lifecycle {
7 | ignore_changes = [
8 | key_vault_id
9 | ]
10 | }
11 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.dynamic_keyvault_secrets.module.secret.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret/keyvault_secret.tf:1-11
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | name = var.name
3 | value = var.value
4 | key_vault_id = var.keyvault_id
5 |
6 | lifecycle {
7 | ignore_changes = [
8 | key_vault_id
9 | ]
10 | }
11 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.dynamic_keyvault_secrets.module.secret.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret/keyvault_secret.tf:1-11
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | name = var.name
3 | value = var.value
4 | key_vault_id = var.keyvault_id
5 |
6 | lifecycle {
7 | ignore_changes = [
8 | key_vault_id
9 | ]
10 | }
11 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.dynamic_keyvault_secrets.module.secret.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret/keyvault_secret.tf:1-11
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | name = var.name
3 | value = var.value
4 | key_vault_id = var.keyvault_id
5 |
6 | lifecycle {
7 | ignore_changes = [
8 | key_vault_id
9 | ]
10 | }
11 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.dynamic_keyvault_secrets.module.secret_value.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret/keyvault_secret.tf:1-11
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:14-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | name = var.name
3 | value = var.value
4 | key_vault_id = var.keyvault_id
5 |
6 | lifecycle {
7 | ignore_changes = [
8 | key_vault_id
9 | ]
10 | }
11 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.dynamic_keyvault_secrets.module.secret_value.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret/keyvault_secret.tf:1-11
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:14-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | name = var.name
3 | value = var.value
4 | key_vault_id = var.keyvault_id
5 |
6 | lifecycle {
7 | ignore_changes = [
8 | key_vault_id
9 | ]
10 | }
11 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.dynamic_keyvault_secrets.module.secret_value.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret/keyvault_secret.tf:1-11
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:14-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | name = var.name
3 | value = var.value
4 | key_vault_id = var.keyvault_id
5 |
6 | lifecycle {
7 | ignore_changes = [
8 | key_vault_id
9 | ]
10 | }
11 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.dynamic_keyvault_secrets.module.secret_value.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret/keyvault_secret.tf:1-11
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:14-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | name = var.name
3 | value = var.value
4 | key_vault_id = var.keyvault_id
5 |
6 | lifecycle {
7 | ignore_changes = [
8 | key_vault_id
9 | ]
10 | }
11 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.dynamic_keyvault_secrets.module.secret_dynamic.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret_dynamic/keyvault_secret.tf:7-17
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:39-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
7 | resource "azurerm_key_vault_secret" "secret" {
8 | name = var.name
9 | value = random_password.value.result
10 | key_vault_id = var.keyvault_id
11 |
12 | lifecycle {
13 | ignore_changes = [
14 | key_vault_id
15 | ]
16 | }
17 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.dynamic_keyvault_secrets.module.secret_dynamic.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret_dynamic/keyvault_secret.tf:7-17
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:39-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
7 | resource "azurerm_key_vault_secret" "secret" {
8 | name = var.name
9 | value = random_password.value.result
10 | key_vault_id = var.keyvault_id
11 |
12 | lifecycle {
13 | ignore_changes = [
14 | key_vault_id
15 | ]
16 | }
17 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.dynamic_keyvault_secrets.module.secret_dynamic.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret_dynamic/keyvault_secret.tf:7-17
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:39-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
7 | resource "azurerm_key_vault_secret" "secret" {
8 | name = var.name
9 | value = random_password.value.result
10 | key_vault_id = var.keyvault_id
11 |
12 | lifecycle {
13 | ignore_changes = [
14 | key_vault_id
15 | ]
16 | }
17 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.dynamic_keyvault_secrets.module.secret_dynamic.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret_dynamic/keyvault_secret.tf:7-17
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:39-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
7 | resource "azurerm_key_vault_secret" "secret" {
8 | name = var.name
9 | value = random_password.value.result
10 | key_vault_id = var.keyvault_id
11 |
12 | lifecycle {
13 | ignore_changes = [
14 | key_vault_id
15 | ]
16 | }
17 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.example.module.dynamic_keyvault_secrets.module.secret_immutable.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret_immutable/keyvault_secret.tf:1-12
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | count = var.value == "" ? 1 : 0
3 | name = var.name
4 | value = var.value
5 | key_vault_id = var.keyvault_id
6 |
7 | lifecycle {
8 | ignore_changes = [
9 | value, key_vault_id
10 | ]
11 | }
12 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.example.module.dynamic_keyvault_secrets.module.secret_immutable.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret_immutable/keyvault_secret.tf:1-12
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | count = var.value == "" ? 1 : 0
3 | name = var.name
4 | value = var.value
5 | key_vault_id = var.keyvault_id
6 |
7 | lifecycle {
8 | ignore_changes = [
9 | value, key_vault_id
10 | ]
11 | }
12 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.dynamic_keyvault_secrets.module.secret_immutable.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret_immutable/keyvault_secret.tf:1-12
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | count = var.value == "" ? 1 : 0
3 | name = var.name
4 | value = var.value
5 | key_vault_id = var.keyvault_id
6 |
7 | lifecycle {
8 | ignore_changes = [
9 | value, key_vault_id
10 | ]
11 | }
12 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.dynamic_keyvault_secrets.module.secret_immutable.azurerm_key_vault_secret.secret
File: /modules/security/dynamic_keyvault_secrets/secret_immutable/keyvault_secret.tf:1-12
Calling File: /modules/security/dynamic_keyvault_secrets/keyvault.tf:26-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
1 | resource "azurerm_key_vault_secret" "secret" {
2 | count = var.value == "" ? 1 : 0
3 | name = var.name
4 | value = var.value
5 | key_vault_id = var.keyvault_id
6 |
7 | lifecycle {
8 | ignore_changes = [
9 | value, key_vault_id
10 | ]
11 | }
12 | }
Check: CKV_AZURE_112: "Ensure that key vault key is backed by HSM"
FAILED for resource: module.example.module.keyvault_keys.azurerm_key_vault_key.key
File: /modules/security/keyvault_key/key.tf:1-25
Calling File: /keyvault_keys.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-key-is-backed-by-hsm.html
1 | resource "azurerm_key_vault_key" "key" {
2 | name = var.settings.name
3 | key_vault_id = var.keyvaults[try(var.settings.lz_key, var.client_config.landingzone_key)][var.settings.keyvault_key].id
4 | key_type = var.settings.key_type
5 | key_opts = var.settings.key_opts
6 |
7 | key_size = try(var.settings.key_size, null)
8 | curve = try(var.settings.curve, null)
9 | not_before_date = try(var.settings.not_before_date, null)
10 | expiration_date = try(var.settings.expiration_date, null)
11 | tags = local.tags
12 | dynamic "rotation_policy" {
13 | for_each = can(var.settings.rotation_policy) ? [1] : []
14 | content {
15 | expire_after = try(var.settings.rotation_policy.expire_after, null)
16 | notify_before_expiry = try(var.settings.rotation_policy.notify_before_expiry, null)
17 | dynamic "automatic" {
18 | for_each = can(var.settings.rotation_policy.automatic) ? [1] : []
19 | content {
20 | time_before_expiry = try(var.settings.rotation_policy.automatic.time_before_expiry, null)
21 | }
22 | }
23 | }
24 | }
25 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.example.module.diagnostic_storage_accounts.azurerm_storage_account.stg
File: /modules/storage_account/storage_account.tf:20-256
Calling File: /diagnostics.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_35: "Ensure default network access rule for Storage Accounts is set to deny"
FAILED for resource: module.example.module.diagnostic_storage_accounts.azurerm_storage_account.stg
File: /modules/storage_account/storage_account.tf:20-256
Calling File: /diagnostics.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
FAILED for resource: module.example.module.diagnostic_storage_accounts.azurerm_storage_account.stg
File: /modules/storage_account/storage_account.tf:20-256
Calling File: /diagnostics.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/enable-trusted-microsoft-services-for-storage-account-access.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.example.module.storage_accounts.azurerm_storage_account.stg
File: /modules/storage_account/storage_account.tf:20-256
Calling File: /storage_accounts.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_35: "Ensure default network access rule for Storage Accounts is set to deny"
FAILED for resource: module.example.module.storage_accounts.azurerm_storage_account.stg
File: /modules/storage_account/storage_account.tf:20-256
Calling File: /storage_accounts.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/set-default-network-access-rule-for-storage-accounts-to-deny.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
FAILED for resource: module.example.module.storage_accounts.azurerm_storage_account.stg
File: /modules/storage_account/storage_account.tf:20-256
Calling File: /storage_accounts.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/enable-trusted-microsoft-services-for-storage-account-access.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_80: "Ensure that 'Net Framework' version is the latest, if used as a part of the web app"
FAILED for resource: module.example.module.app_services.azurerm_app_service.app_service
File: /modules/webapps/appservice/module.tf:15-278
Calling File: /app_services.tf:4-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: module.example.module.app_services.azurerm_app_service.app_service
File: /modules/webapps/appservice/module.tf:15-278
Calling File: /app_services.tf:4-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_11: "Ensure that Azure Data Explorer encryption at rest uses a customer-managed key"
FAILED for resource: module.example.module.kusto_clusters.azurerm_kusto_cluster.kusto
File: /modules/databases/data_explorer/kusto_clusters/module.tf:14-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-azure-data-explorer-encryption-at-rest-uses-a-customer-managed-key.html
14 | resource "azurerm_kusto_cluster" "kusto" {
15 | name = azurecaf_name.kusto.result
16 | location = var.location
17 | resource_group_name = var.resource_group_name
18 | dynamic "sku" {
19 | for_each = try(var.settings.sku, null) != null ? [var.settings.sku] : []
20 |
21 | content {
22 | name = sku.value.name
23 | capacity = lookup(sku.value, "capacity", null)
24 | }
25 | }
26 | double_encryption_enabled = try(var.settings.double_encryption_enabled, null)
27 | dynamic "identity" {
28 | for_each = try(var.settings.identity, false) == false ? [] : [1]
29 |
30 | content {
31 | type = var.settings.identity.type
32 | identity_ids = local.managed_identities
33 | }
34 | }
35 | disk_encryption_enabled = try(var.settings.enable_disk_encryption, var.settings.disk_encryption_enabled, null)
36 | streaming_ingestion_enabled = try(var.settings.enable_streaming_ingest, var.settings.streaming_ingestion_enabled, null)
37 | purge_enabled = try(var.settings.enable_purge, var.settings.purge_enabled, null)
38 | dynamic "virtual_network_configuration" {
39 | for_each = try(var.settings.virtual_network_configuration, null) != null ? [var.settings.virtual_network_configuration] : []
40 | content {
41 | subnet_id = can(virtual_network_configuration.value.subnet_id) || can(virtual_network_configuration.value.subnet_key) == false ? try(virtual_network_configuration.value.subnet_id, null) : try(virtual_network_configuration.value.vnet_key, null) == null ? null : var.combined_resources.vnets[try(virtual_network_configuration.value.lz_key, var.client_config.landingzone_key)][virtual_network_configuration.value.vnet_key].subnets[virtual_network_configuration.value.subnet_key].id
42 | engine_public_ip_id = try(virtual_network_configuration.value.engine_public_ip.key, null) == null ? null : try(var.combined_resources.pips[try(virtual_network_configuration.value.engine_public_ip.lz_key, var.client_config.landingzone_key)][virtual_network_configuration.value.engine_public_ip.key].id, null)
43 | data_management_public_ip_id = try(virtual_network_configuration.value.data_management_public_ip.key, null) == null ? null : try(var.combined_resources.pips[try(virtual_network_configuration.value.data_management_public_ip.lz_key, var.client_config.landingzone_key)][virtual_network_configuration.value.data_management_public_ip.key].id, null)
44 | }
45 | }
46 | language_extensions = try(var.settings.language_extensions, null)
47 | dynamic "optimized_auto_scale" {
48 | for_each = try(var.settings.optimized_auto_scale, null) != null ? [var.settings.optimized_auto_scale] : []
49 |
50 | content {
51 | minimum_instances = optimized_auto_scale.value.minimum_instances
52 | maximum_instances = optimized_auto_scale.value.maximum_instances
53 | }
54 | }
55 | trusted_external_tenants = try(var.settings.trusted_external_tenants, null)
56 | zones = try(var.settings.zones, null)
57 | engine = try(var.settings.engine, null)
58 | auto_stop_enabled = try(var.settings.auto_stop_enabled, null)
59 | tags = local.tags
60 | }
Check: CKV2_AZURE_3: "Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server"
FAILED for resource: module.example.module.mssql_servers.azurerm_mssql_server_vulnerability_assessment.mssql[0]
File: /modules/databases/mssql_server/vulnerability_assessment.tf:12-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-va-setting-periodic-recurring-scans-is-enabled-on-a-sql-server.html
12 | resource "azurerm_mssql_server_vulnerability_assessment" "mssql" {
13 | count = try(var.settings.security_alert_policy.vulnerability_assessment, null) == null ? 0 : 1
14 |
15 | server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.mssql.0.id
16 | storage_container_path = format("%s%s/", data.azurerm_storage_account.mssql_va.0.primary_blob_endpoint, try(var.settings.security_alert_policy.vulnerability_assessment.storage_account.container_path, "vascans"))
17 | storage_account_access_key = data.azurerm_storage_account.mssql_va.0.primary_access_key
18 | recurring_scans {
19 | enabled = try(var.settings.security_alert_policy.vulnerability_assessment.enabled, true)
20 | email_subscription_admins = try(var.settings.security_alert_policy.vulnerability_assessment.email_subscription_admins, false)
21 | emails = try(var.settings.security_alert_policy.vulnerability_assessment.email_addresses, null)
22 | }
23 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.example.module.diagnostic_storage_accounts.module.container.azurerm_storage_container.stg
File: /modules/storage_account/container/container.tf:4-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
4 | resource "azurerm_storage_container" "stg" {
5 | name = var.settings.name
6 | storage_account_name = var.storage_account_name
7 | container_access_type = try(var.settings.container_access_type, "private")
8 | metadata = try(var.settings.metadata, null)
9 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.example.module.storage_accounts.module.container.azurerm_storage_container.stg
File: /modules/storage_account/container/container.tf:4-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
4 | resource "azurerm_storage_container" "stg" {
5 | name = var.settings.name
6 | storage_account_name = var.storage_account_name
7 | container_access_type = try(var.settings.container_access_type, "private")
8 | metadata = try(var.settings.metadata, null)
9 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.example.module.storage_containers.azurerm_storage_container.stg
File: /modules/storage_account/container/container.tf:4-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
4 | resource "azurerm_storage_container" "stg" {
5 | name = var.settings.name
6 | storage_account_name = var.storage_account_name
7 | container_access_type = try(var.settings.container_access_type, "private")
8 | metadata = try(var.settings.metadata, null)
9 | }
Check: CKV2_AZURE_19: "Ensure that Azure Synapse workspaces have no IP firewall rules attached"
FAILED for resource: module.example.module.synapse_workspaces.azurerm_synapse_workspace.ws
File: /modules/analytics/synapse/workspace.tf:14-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-synapse-workspaces-have-no-ip-firewall-rules-attached.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_22: "Ensure that Cognitive Services enables customer-managed key for encryption"
FAILED for resource: module.example.module.cognitive_services_account.azurerm_cognitive_account.service
File: /modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf:11-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-azure-cognitive-services-enables-customer-managed-keys-cmks-for-encryption.html
11 | resource "azurerm_cognitive_account" "service" {
12 | name = azurecaf_name.service.result
13 | location = var.location
14 | resource_group_name = var.resource_group_name
15 | kind = var.settings.kind
16 | sku_name = var.settings.sku_name
17 |
18 | qna_runtime_endpoint = var.settings.kind == "QnAMaker" ? var.settings.qna_runtime_endpoint : try(var.settings.qna_runtime_endpoint, null)
19 |
20 | dynamic "network_acls" {
21 | for_each = can(var.settings.network_acls) ? [var.settings.network_acls] : []
22 | content {
23 | default_action = network_acls.value.default_action
24 | ip_rules = try(network_acls.value.ip_rules, null)
25 |
26 | # to support migration from 2.99.0 to 3.7.0
27 | dynamic "virtual_network_rules" {
28 | for_each = can(network_acls.value.virtual_network_subnet_ids) ? toset(network_acls.value.virtual_network_subnet_ids) : []
29 |
30 | content {
31 | subnet_id = virtual_network_rules.value
32 | }
33 | }
34 |
35 | dynamic "virtual_network_rules" {
36 | for_each = try(network_acls.value.virtual_network_rules, {})
37 |
38 | content {
39 | subnet_id = virtual_network_rules.value.subnet_id
40 | ignore_missing_vnet_service_endpoint = try(virtual_network_rules.value.ignore_missing_vnet_service_endpoint, null)
41 | }
42 | }
43 | }
44 | }
45 |
46 | custom_subdomain_name = try(var.settings.custom_subdomain_name, null)
47 |
48 | tags = try(var.settings.tags, {})
49 | }
Check: CKV2_AZURE_9: "Ensure Virtual Machines are utilizing Managed Disks"
FAILED for resource: module.example.module.virtual_machines.azurerm_virtual_machine.vm
File: /modules/compute/virtual_machine/vm_legacy.tf:29-214
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-virtual-machines-are-utilizing-managed-disks.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_5: "Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"
FAILED for resource: module.example.module.mssql_servers.azurerm_mssql_server_vulnerability_assessment.mssql[0]
File: /modules/databases/mssql_server/vulnerability_assessment.tf:12-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-va-setting-also-send-email-notifications-to-admins-and-subscription-owners-is-set-for-an-sql-server.html
12 | resource "azurerm_mssql_server_vulnerability_assessment" "mssql" {
13 | count = try(var.settings.security_alert_policy.vulnerability_assessment, null) == null ? 0 : 1
14 |
15 | server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.mssql.0.id
16 | storage_container_path = format("%s%s/", data.azurerm_storage_account.mssql_va.0.primary_blob_endpoint, try(var.settings.security_alert_policy.vulnerability_assessment.storage_account.container_path, "vascans"))
17 | storage_account_access_key = data.azurerm_storage_account.mssql_va.0.primary_access_key
18 | recurring_scans {
19 | enabled = try(var.settings.security_alert_policy.vulnerability_assessment.enabled, true)
20 | email_subscription_admins = try(var.settings.security_alert_policy.vulnerability_assessment.email_subscription_admins, false)
21 | emails = try(var.settings.security_alert_policy.vulnerability_assessment.email_addresses, null)
22 | }
23 | }
Check: CKV2_AZURE_15: "Ensure that Azure data factories are encrypted with a customer-managed key"
FAILED for resource: module.example.module.data_factory.azurerm_data_factory.df
File: /modules/data_factory/data_factory/module.tf:11-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-azure-data-factories-are-encrypted-with-a-customer-managed-key.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_24: "Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers"
FAILED for resource: module.example.module.mssql_servers.azurerm_mssql_server.mssql
File: /modules/databases/mssql_server/server.tf:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-3.html
1 | resource "azurerm_mssql_server" "mssql" {
2 | name = azurecaf_name.mssql.result
3 | resource_group_name = local.resource_group_name
4 | location = local.location
5 | version = try(var.settings.version, "12.0")
6 | administrator_login = try(var.settings.azuread_administrator.azuread_authentication_only, false) == true ? null : var.settings.administrator_login
7 | administrator_login_password = try(var.settings.azuread_administrator.azuread_authentication_only, false) == true ? null : try(var.settings.administrator_login_password, azurerm_key_vault_secret.sql_admin_password.0.value)
8 | public_network_access_enabled = try(var.settings.public_network_access_enabled, true)
9 | connection_policy = try(var.settings.connection_policy, null)
10 | minimum_tls_version = try(var.settings.minimum_tls_version, null)
11 | tags = local.tags
12 |
13 | dynamic "azuread_administrator" {
14 | for_each = can(var.settings.azuread_administrator) ? [var.settings.azuread_administrator] : []
15 |
16 | content {
17 | azuread_authentication_only = try(var.settings.azuread_administrator.azuread_authentication_only, false)
18 | login_username = can(var.settings.azuread_administrator.login_username) ? var.settings.azuread_administrator.login_username : try(var.azuread_groups[var.client_config.landingzone_key][var.settings.azuread_administrator.azuread_group_key].display_name, var.azuread_groups[var.settings.azuread_administrator.lz_key][var.settings.azuread_administrator.azuread_group_key].display_name)
19 | object_id = can(var.settings.azuread_administrator.object_id) ? var.settings.azuread_administrator.object_id : try(var.azuread_groups[var.client_config.landingzone_key][var.settings.azuread_administrator.azuread_group_key].id, var.azuread_groups[var.settings.azuread_administrator.lz_key][var.settings.azuread_administrator.azuread_group_key].id)
20 | tenant_id = can(var.settings.azuread_administrator.tenant_id) ? var.settings.azuread_administrator.tenant_id : try(var.azuread_groups[var.client_config.landingzone_key][var.settings.azuread_administrator.azuread_group_key].tenant_id, var.azuread_groups[var.settings.azuread_administrator.lz_key][var.settings.azuread_administrator.azuread_group_key].tenant_id)
21 | }
22 | }
23 |
24 | dynamic "identity" {
25 | for_each = can(var.settings.identity) ? [var.settings.identity] : []
26 |
27 | content {
28 | type = identity.value.type
29 | }
30 | }
31 |
32 | }
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: module.example.module.virtual_machines.azurerm_virtual_machine.vm
File: /modules/compute/virtual_machine/vm_legacy.tf:29-214
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_29: "Ensure AKS cluster has Azure CNI networking enabled"
FAILED for resource: module.example.module.aks_clusters.azurerm_kubernetes_cluster.aks
File: /modules/compute/aks/aks.tf:40-436
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.example.module.diagnostic_storage_accounts.azurerm_storage_account.stg
File: /modules/storage_account/storage_account.tf:20-256
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.example.module.storage_accounts.azurerm_storage_account.stg
File: /modules/storage_account/storage_account.tf:20-256
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_16: "Ensure that MySQL server enables customer-managed key for encryption"
FAILED for resource: module.example.module.mysql_servers.azurerm_mysql_server.mysql
File: /modules/databases/mysql_server/server.tf:1-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-mysql-server-enables-customer-managed-key-for-encryption.html
1 | resource "azurerm_mysql_server" "mysql" {
2 |
3 | name = azurecaf_name.mysql.result
4 | resource_group_name = local.resource_group_name
5 | location = local.location
6 | version = var.settings.version
7 | sku_name = var.settings.sku_name
8 |
9 | administrator_login = var.settings.administrator_login
10 | administrator_login_password = try(var.settings.administrator_login_password, azurerm_key_vault_secret.mysql_admin_password.0.value)
11 |
12 | auto_grow_enabled = try(var.settings.auto_grow_enabled, true)
13 | storage_mb = var.settings.storage_mb
14 | backup_retention_days = try(var.settings.backup_retention_days, null)
15 | create_mode = try(var.settings.create_mode, "Default")
16 | creation_source_server_id = try(var.settings.creation_source_server_id, null)
17 | geo_redundant_backup_enabled = try(var.settings.geo_redundant_backup_enabled, null)
18 | infrastructure_encryption_enabled = try(var.settings.infrastructure_encryption_enabled, false)
19 | restore_point_in_time = try(var.settings.restore_point_in_time, null)
20 | public_network_access_enabled = try(var.settings.public_network_access_enabled, true)
21 | ssl_enforcement_enabled = try(var.settings.ssl_enforcement_enabled, true)
22 | ssl_minimal_tls_version_enforced = try(var.settings.ssl_minimal_tls_version_enforced, "TLSEnforcementDisabled")
23 | tags = local.tags
24 |
25 | dynamic "identity" {
26 | for_each = lookup(var.settings, "identity", {}) == {} ? [] : [1]
27 |
28 | content {
29 | type = var.settings.identity.type
30 | }
31 | }
32 |
33 | }
Check: CKV_AZURE_23: "Ensure that 'Auditing' is set to 'On' for SQL servers"
FAILED for resource: module.example.module.mssql_servers.azurerm_mssql_server.mssql
File: /modules/databases/mssql_server/server.tf:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-2.html
1 | resource "azurerm_mssql_server" "mssql" {
2 | name = azurecaf_name.mssql.result
3 | resource_group_name = local.resource_group_name
4 | location = local.location
5 | version = try(var.settings.version, "12.0")
6 | administrator_login = try(var.settings.azuread_administrator.azuread_authentication_only, false) == true ? null : var.settings.administrator_login
7 | administrator_login_password = try(var.settings.azuread_administrator.azuread_authentication_only, false) == true ? null : try(var.settings.administrator_login_password, azurerm_key_vault_secret.sql_admin_password.0.value)
8 | public_network_access_enabled = try(var.settings.public_network_access_enabled, true)
9 | connection_policy = try(var.settings.connection_policy, null)
10 | minimum_tls_version = try(var.settings.minimum_tls_version, null)
11 | tags = local.tags
12 |
13 | dynamic "azuread_administrator" {
14 | for_each = can(var.settings.azuread_administrator) ? [var.settings.azuread_administrator] : []
15 |
16 | content {
17 | azuread_authentication_only = try(var.settings.azuread_administrator.azuread_authentication_only, false)
18 | login_username = can(var.settings.azuread_administrator.login_username) ? var.settings.azuread_administrator.login_username : try(var.azuread_groups[var.client_config.landingzone_key][var.settings.azuread_administrator.azuread_group_key].display_name, var.azuread_groups[var.settings.azuread_administrator.lz_key][var.settings.azuread_administrator.azuread_group_key].display_name)
19 | object_id = can(var.settings.azuread_administrator.object_id) ? var.settings.azuread_administrator.object_id : try(var.azuread_groups[var.client_config.landingzone_key][var.settings.azuread_administrator.azuread_group_key].id, var.azuread_groups[var.settings.azuread_administrator.lz_key][var.settings.azuread_administrator.azuread_group_key].id)
20 | tenant_id = can(var.settings.azuread_administrator.tenant_id) ? var.settings.azuread_administrator.tenant_id : try(var.azuread_groups[var.client_config.landingzone_key][var.settings.azuread_administrator.azuread_group_key].tenant_id, var.azuread_groups[var.settings.azuread_administrator.lz_key][var.settings.azuread_administrator.azuread_group_key].tenant_id)
21 | }
22 | }
23 |
24 | dynamic "identity" {
25 | for_each = can(var.settings.identity) ? [var.settings.identity] : []
26 |
27 | content {
28 | type = identity.value.type
29 | }
30 | }
31 |
32 | }
Check: CKV2_AZURE_4: "Ensure Azure SQL server ADS VA Send scan reports to is configured"
FAILED for resource: module.example.module.mssql_servers.azurerm_mssql_server_vulnerability_assessment.mssql[0]
File: /modules/databases/mssql_server/vulnerability_assessment.tf:12-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-va-setting-send-scan-reports-to-is-configured-for-a-sql-server.html
12 | resource "azurerm_mssql_server_vulnerability_assessment" "mssql" {
13 | count = try(var.settings.security_alert_policy.vulnerability_assessment, null) == null ? 0 : 1
14 |
15 | server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.mssql.0.id
16 | storage_container_path = format("%s%s/", data.azurerm_storage_account.mssql_va.0.primary_blob_endpoint, try(var.settings.security_alert_policy.vulnerability_assessment.storage_account.container_path, "vascans"))
17 | storage_account_access_key = data.azurerm_storage_account.mssql_va.0.primary_access_key
18 | recurring_scans {
19 | enabled = try(var.settings.security_alert_policy.vulnerability_assessment.enabled, true)
20 | email_subscription_admins = try(var.settings.security_alert_policy.vulnerability_assessment.email_subscription_admins, false)
21 | emails = try(var.settings.security_alert_policy.vulnerability_assessment.email_addresses, null)
22 | }
23 | }
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: module.example.module.virtual_machines.azurerm_virtual_machine.vm
File: /modules/compute/virtual_machine/vm_legacy.tf:29-214
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.example.module.networking.module.special_subnets.azurerm_subnet.subnet
File: /modules/networking/virtual_network/subnet/subnet.tf:12-39
12 | resource "azurerm_subnet" "subnet" {
13 |
14 | name = azurecaf_name.subnet.result
15 | resource_group_name = var.resource_group_name
16 | virtual_network_name = var.virtual_network_name
17 | address_prefixes = var.address_prefixes
18 | service_endpoints = var.service_endpoints
19 | private_endpoint_network_policies_enabled = try(var.private_endpoint_network_policies_enabled, null)
20 | private_link_service_network_policies_enabled = try(var.private_link_service_network_policies_enabled, null)
21 |
22 | dynamic "delegation" {
23 | for_each = try(var.settings.delegation, null) == null ? [] : [1]
24 |
25 | content {
26 | name = var.settings.delegation.name
27 |
28 | service_delegation {
29 | name = var.settings.delegation.service_delegation
30 | actions = lookup(var.settings.delegation, "actions", null)
31 | }
32 | }
33 | }
34 |
35 | lifecycle {
36 | ignore_changes = [name]
37 | }
38 |
39 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.example.module.networking.module.subnets.azurerm_subnet.subnet
File: /modules/networking/virtual_network/subnet/subnet.tf:12-39
12 | resource "azurerm_subnet" "subnet" {
13 |
14 | name = azurecaf_name.subnet.result
15 | resource_group_name = var.resource_group_name
16 | virtual_network_name = var.virtual_network_name
17 | address_prefixes = var.address_prefixes
18 | service_endpoints = var.service_endpoints
19 | private_endpoint_network_policies_enabled = try(var.private_endpoint_network_policies_enabled, null)
20 | private_link_service_network_policies_enabled = try(var.private_link_service_network_policies_enabled, null)
21 |
22 | dynamic "delegation" {
23 | for_each = try(var.settings.delegation, null) == null ? [] : [1]
24 |
25 | content {
26 | name = var.settings.delegation.name
27 |
28 | service_delegation {
29 | name = var.settings.delegation.service_delegation
30 | actions = lookup(var.settings.delegation, "actions", null)
31 | }
32 | }
33 | }
34 |
35 | lifecycle {
36 | ignore_changes = [name]
37 | }
38 |
39 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: module.example.module.virtual_subnets.azurerm_subnet.subnet
File: /modules/networking/virtual_network/subnet/subnet.tf:12-39
12 | resource "azurerm_subnet" "subnet" {
13 |
14 | name = azurecaf_name.subnet.result
15 | resource_group_name = var.resource_group_name
16 | virtual_network_name = var.virtual_network_name
17 | address_prefixes = var.address_prefixes
18 | service_endpoints = var.service_endpoints
19 | private_endpoint_network_policies_enabled = try(var.private_endpoint_network_policies_enabled, null)
20 | private_link_service_network_policies_enabled = try(var.private_link_service_network_policies_enabled, null)
21 |
22 | dynamic "delegation" {
23 | for_each = try(var.settings.delegation, null) == null ? [] : [1]
24 |
25 | content {
26 | name = var.settings.delegation.name
27 |
28 | service_delegation {
29 | name = var.settings.delegation.service_delegation
30 | actions = lookup(var.settings.delegation, "actions", null)
31 | }
32 | }
33 | }
34 |
35 | lifecycle {
36 | ignore_changes = [name]
37 | }
38 |
39 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.example.module.diagnostic_storage_accounts.azurerm_storage_account.stg
File: /modules/storage_account/storage_account.tf:20-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.example.module.storage_accounts.azurerm_storage_account.stg
File: /modules/storage_account/storage_account.tf:20-256
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
arm scan results:
Passed checks: 0, Failed checks: 1, Skipped checks: 0
Check: CKV_AZURE_216: "Ensure DenyIntelMode is set to Deny for Azure Firewalls"
FAILED for resource: Microsoft.Network/azureFirewalls.[parameters('name')]
File: /modules/networking/virtual_wan/virtual_hub/arm_template_vhub_firewall.json:36-50
36 | {
37 | "apiVersion": "2019-09-01",
38 | "type": "Microsoft.Network/azureFirewalls",
39 | "name": "[parameters('name')]",
40 | "location": "[parameters('location')]",
41 | "properties": {
42 | "virtualHub": {
43 | "id": "[parameters('vwan_id')]"
44 | },
45 | "sku": {
46 | "Name": "AZFW_Hub",
47 | "Tier": "Standard"
48 | }
49 | }
50 | }
github_actions scan results:
Passed checks: 404, Failed checks: 12, Skipped checks: 0
Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
FAILED for resource: on(landingzone)
File: /.github/workflows/landingzone-scenarios.yaml:11-36
11 | destroy:
12 | description: Destroy the deployments at the end.
13 | default: true
14 | type: bool
15 | landingzone_ref:
16 | description: Set the base terraform landingzone tag, branch or ref to use to deploy the code
17 | default: sqlmi.native.bugbash2
18 | type: string
19 | restart_phase:
20 | description: "Select the phase to restart the job from:"
21 | required: true
22 | type: choice
23 | default: phase1
24 | options:
25 | - phase1
26 | - phase2
27 | scenario:
28 | description: "Select the scenario you want to run:"
29 | required: false
30 | type: choice
31 | default: "landingzone-scenarios-longrunners.json"
32 | options:
33 | - landingzone-scenarios-longrunners.json
34 |
35 | env:
36 | TF_CLI_ARGS: "-no-color"
Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
FAILED for resource: on(standalone-tf100)
File: /.github/workflows/standalone-tf100.yaml:11-24
11 | scenario:
12 | description: "Select the scenario you want to run:"
13 | required: false
14 | type: choice
15 | default: "standalone-scenarios.json"
16 | options:
17 | - standalone-scenarios-azuread.json
18 | - standalone-scenarios.json
19 | - standalone-compute.json
20 | - standalone-networking.json
21 | - standalone-scenarios-longrunners.json
22 |
23 | env:
24 | TF_CLI_ARGS: "-no-color"
Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
FAILED for resource: on(standalone-regressor-tf100)
File: /.github/workflows/standalone-regressor-tf100.yaml:11-28
11 | base_version:
12 | description: 'Select the base version to use as baseline (refer to tags)'
13 | required: true
14 | type: string
15 | scenario:
16 | description: 'Select the scenario you want to run:'
17 | required: false
18 | type: choice
19 | default: 'standalone-scenarios.json'
20 | options:
21 | - standalone-scenarios-azuread.json
22 | - standalone-scenarios.json
23 | - standalone-compute.json
24 | - standalone-networking.json
25 | - standalone-scenarios-longrunners.json
26 |
27 | env:
28 | TF_CLI_ARGS: '-no-color'
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(landingzone)
File: /.github/workflows/landingzone-scenarios.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(standalone-tf100)
File: /.github/workflows/standalone-tf100.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(rover)
File: /.github/workflows/rover.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(standalone-compute)
File: /.github/workflows/standalone-compute.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(standalone-regressor-tf100)
File: /.github/workflows/standalone-regressor-tf100.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Release Drafter)
File: /.github/workflows/release-drafter.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(phases_dispatcher)
File: /.github/workflows/phases.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(phases_dispatcher_destroy)
File: /.github/workflows/phases_destroy.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(standalone-networking)
File: /.github/workflows/standalone-networking.yaml:0-1
ansible scan results:
Passed checks: 4, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools